Cisco’s Talos research department has analyzed malware that communicates via DNS. The so-called Dnmessenger trojan can thus request PowerShell scripts from the txt record to avoid detection.
In the analysis, the researchers write that the Trojan communicates with the attackers’ c2 server in this way. The malware is notable because this variant takes extensive steps to remain hidden. The trojan is distributed using an infected Word document, which appears to be protected by McAfee software. For example, the file could be sent to a specific target by a phishing email.
The malware works with PowerShell to create a backdoor in the victim’s system. To achieve that, the malicious software first checks for administrative access and which version of PowerShell is running on the system. In the next phase, the Dnmessenger Trojan uses a random pre-programmed domain name for dns requests. By retrieving the txt record it is possible for the attackers to provide the trojan with various commands.
The PowerShell commands contained in the txt records allow the attacker to control Windows functions on the infected system. It is also possible to send back the generated output of applications via a dns request. According to the researchers, such an attack is difficult to detect, because organizations often do not use filters for DNS. This makes this technique suitable for targeted attacks.
The malicious Word file