DNSMessenger is a new fileless remote access trojan that uses DNS tunneling to conduct malicious powershell commands on compromised machines. It establishes bidirectional communication between infected machines and attackers through DNS TXT record queries and responses. The malware infects systems through a malicious word document delivered via phishing emails. It then establishes persistence through changes to the registry and installing a backdoor in the WMI database that periodically queries command and control servers for further instructions. Detection can be done through monitoring DNS traffic size and payload as well as blocking unsigned powershell scripts.

1. Copyright ©2017 CTM360® www.ctm360.com 1
Dependable Security as a Service
Severity: CRITICAL
DNSMESSENGER – REMOTE ACCESS TROJAN(RAT)
Reference: CTM-ADV-0317-01
Date: 7th March 2017
Threat Description
DNSMessenger is a new Remote Access Trojan that uses DNS Tunneling to conduct
malicious PowerShell commands on compromised machines. It has been identified
using DNS TXT record queries and responses to create a bidirectional Command and
Control (C2) channel which allows the attacker to submit new commands in
Powershell to run on infected machines and return the results back to the attacker.
Other malware which use DNS TXT records for command and control are Feederbot
and Motto which were detected in 2011.
This attack is completely fileless as it does not involve writing files to the target
machine but instead uses TXT messaging capabilities to fetch malicious PowerShell
commands stored as DNS TXT records. This ability provides invisibility against
standard anti-malware defenses. Fileless malware were earlier detected in February
that resides solely in the memory of compressed computers targeting banks,
telecoms and government organizations across 40 countries. The domains
registered by the DNSMessenger RAT are all down, so far, it is not known what types
of commands the attackers relayed to infected machines.
Operational Phases
There are two phases of operation. The first phase of operation is the deployment
of the dropper via an email phishing campaign followed by the second phase which
involves the actual attack. Currently there is not much focus on first phase of
operation which has been identified as the most crucial step in the attack campaign.
It must be understood that there is a high probability that if a dropper is detected
in the system/network, then the victim has already been breached in an earlier attack. The attackers have already gained
sufficient knowledge of victim’s details and credentials to attempt to dispatch the dropper.
Stages of Operations
Stage 1
The dropper has been identified as a malicious Microsoft word
document delivered to the victim through an email phishing
campaign. The word document is crafted to appear legitimate by
specifying that the word file secured by McAfee to increase chances
of the victim opening and enabling the macros. When the word file
is opened, it launches a Visual Basic for Applications(VBA) macro
which executes a self-contained PowerShell script that has basic
instructions to ensure persistence on the infected host by modifying
registry keys, checking PowerShell versions, and other operations.
CATEGORY
System Compromise, Machine Hijacking
THREAT TARGETS
All Organizations
POSSIBLE IMPACT
 Data Exfiltration
 Installation of Malware
 C&C of compromised endpoints
TARGET AUDIENCE FOR
CIRCULATION
 Administrators of internet-facing
infrastructure and services
 IT security team
For more information:
Email: monitor@ctm360.com
Tel: (+973) 77 360 360
Screenshot of the malicious word document

2. Copyright ©2017 CTM360® www.ctm360.com 2
Dependable Security as a Service
Severity: CRITICAL
Stage 2
The second stage involves the VBA script unpacking a compressed and sophisticated second stage of PowerShell to check
for several parameters of the target environment, like user privileges and PowerShell version running on the target machine.
This information is vital as it is used to ensure persistence on the infected machine by changing the Windows Registry and
installing a third stage PowerShell script that contains a backdoor which is added to the Windows Management
Instrumentation(WMI) database. Upon investigation, the malware also creates a scheduled task named ‘kernel32’ which
may change across different campaigns.
Stage 3
The backdoor is being added to the WMI database, if the victim does have administrative access, allowing the malware
backdoor to stay persistent on the system even after a reboot.
The backdoor is an additional script that establishes a sophisticated 2-way communications channel using DNS Queries. The
backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code. As part of those
requests, it retrieves the domain's DNS TXT record, which contains further PowerShell commands that are executed but
never written to the local machine.
The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record
queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to
determine what action to take next. For instance, the first subdomain is 'www' and a query response with a TXT record
containing 'www' will instruct the script to proceed. Other actions that may be taken are 'idle' and 'stop'.
Stage 4
This stage of operation consists of script queries that contacts the C2 servers via DNS TXT message requests. Commands
which are received, then executed via the Windows Command Line Processor with the output communicated back to the
C2 server. This allows the attacker to initiate executions of any Windows or application commands on the infected machine.
Indicators of Compromise(IOC)
Below are indicators of compromise that can be used to identify the attack
Hashes:
f9e54609f1f4136da71dbab8f57c2e68e84bcdc32a58cc12ad5f86334ac0eacf (SHA256)
f82baa39ba44d9b356eb5d904917ad36446083f29dced8c5b34454955da89174 (SHA256)
340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981 (SHA256)
7f0a314f15a6f20ca6dced545fbc9ef8c1634f9ff8eb736deab73e46ae131458 (SHA256)
Detection of Threat
 DNS tunneling can be detected by monitoring the size of DNS request and reply queries. It’s likely that tunneled
traffic will have more than 64 characters in DNS.
 Usage of updated IPS and IDS is another detection mechanism
 Large number of DNS TXT records in DNS server.
 New Entries detected by analyzing Domain History

3. Copyright ©2017 CTM360® www.ctm360.com 3
Dependable Security as a Service
Severity: CRITICAL
be5f4bfa35fc1b350d38d8ddc8e88d2dd357b84f254318b1f3b07160c3900750 (SHA256)
9b955d9d7f62d405da9cf05425c9b6dd3738ce09160c8a75d396a6de229d9dd7 (SHA256)
fd6e7fc11a325c498d73cf683ecbe90ddbf0e1ae1d540b811012bd6980eed882 (SHA256)
6bf9d311ed16e059f9538b4c24c836cf421cf5c0c1f756fdfdeb9e1792ada8ba (SHA256)
C2 Domains:
algew[.]me
aloqd[.]pw
bpee[.]pw
bvyv[.]club
bwuk[.]club
cgqy[.]us
cihr[.]site
ckwl[.]pw
cnmah[.]pw
coec[.]club
cuuo[.]us
daskd[.]me
dbxa[.]pw
dlex[.]pw
doof[.]pw
dtxf[.]pw
dvso[.]pw
dyiud[.]com
eady[.]club
enuv[.]club
eter[.]pw
fbjz[.]pw
fhyi[.]club
futh[.]pw
gjcu[.]pw
gjuc[.]pw
gnoa[.]pw
grij[.]us
gxhp[.]top
hvzr[.]info
idjb[.]us
ihrs[.]pw
jimw[.]club
jomp[.]site
jxhv[.]site
kjke[.]pw
kshv[.]site
kwoe[.]us
ldzp[.]pw
lhlv[.]club
lnoy[.]site
lvrm[.]pw
lvxf[.]pw
mewt[.]us
mfka[.]pw
mjet[.]pw
mjut[.]pw
mvze[.]pw
mxfg[.]pw
nroq[.]pw
nwrr[.]pw
nxpu[.]site
oaax[.]site
odwf[.]pw
odyr[.]us
okiq[.]pw
oknz[.]club
ooep[.]pw
ooyh[.]us
otzd[.]pw
oxrp[.]info
oyaw[.]club
pafk[.]us
palj[.]us
pbbk[.]us
ppdx[.]pw
pvze[.]club
qefg[.]info
qlpa[.]club
qznm[.]pw
reld[.]info
rnkj[.]pw
rzzc[.]pw
sgvt[.]pw
soru[.]pw
swio[.]pw
tijm[.]pw
tsrs[.]pw
turp[.]pw
ueox[.]club
ufyb[.]club
utca[.]site
vdfe[.]site
vjro[.]club
vkpo[.]us
vpua[.]pw
vqba[.]info
vwcq[.]us
vxqt[.]us
vxwy[.]pw
wfsv[.]us
wqiy[.]info
wvzu[.]pw
xhqd[.]pw
yamd[.]pw
yedq[.]pw
yqox[.]pw
ysxy[.]pw
zcnt[.]pw
zdqp[.]pw
zjav[.]us
zjvz[.]pw
zmyo[.]club
zody[.]pw
zugh[.]us
cspg[.]pw

4. Copyright ©2017 CTM360® www.ctm360.com 4
Dependable Security as a Service
Severity: CRITICAL
Recommendations
An organization infected could experience operational impacts including theft of
intellectual property (IP) and unsolicited access on machines. However, the actual impact
to any organization may vary depending on the type and number of systems impacted.
Following are the suggested recommendation:
 Implement traffic analyses and payload analysis techniques. Payload analysis can be
used to detect DNS tunneling using signatures based on attributes of individual DNS
payloads such as the FQDN contents. Payload analysis is most effective for detecting
known DNS tunneling utilities. The second detection technique, Traffic analysis can be
used to detect DNS tunneling based on characteristics of overall traffic. Using traffic
analysis, a universal DNS tunneling detector can be implemented.
 Rules must be configured to monitor a large number of DNS TXT reply for DNS queries
 Rules must be configured in SIEM to trigger if volume of DNS traffic from a source is
very high.
 Use the split horizon DNS concept so that internal addresses are dealt on a specific server; clients should use a proxy
server to connect out to the internet, and the proxy server resolves the external DNS for them. Some proxies also have
the capability to check the DNS information too.
 DNSTrap is a tool developed to detect DNS tunneling by using artificial neural network. In this tool, five attributes are
used to train an Artificial Neural Network (ANN) to detect tunnels: the domain name, how many packets are sent to a
particular domain, the average length of packets to that domain, the average number of distinct characters in the LLD,
and the distance between LLD’s.
 Monitor for any unusual use of powershell.exe and wsmprovhost.exe in the environment. If PowerShell is not in use,
then disable PowerShell overall. Keep in mind that PowerShell can be run without powershell.exe, such as through .NET
and the System.Management.Automation namespace.
 All internal legitimately used PowerShell scripts should be signed and all unsigned scripts should be blocked through
the execution policy.
References:
The Tale of DNSMessenger
http://blog.talosintelligence.com/2017/03/dnsmessenger.html
DNS Tunneling
https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
https://www.plixer.com/blog/network-security-forensics/what-is-dns-tunneling/
The increased use of PowerShell in Attacks
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
For more information:
Email: monitor@ctm360.com Tel: (+973) 77 360 360
Disclaimer
The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended
action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness and completeness. Consequently, under
NO condition shall CTM360®, its related partners, directors, principals, agents or employees be liable for any direct, indirect, accidental, special, exemplary, punitive,
consequential or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection
with this advisory.