Powershell Remote Access Trojan Uses DNS for 2-Way Communications with C2 Server

A new Powershell remote access Trojan has been identified by researchers at Cisco Talos. The memory-resident malware does not write any files to the hard drive and it uses a novel method of communicating with its C2, making it almost impossible to detect.

Infection occurs via a malicious Word document sent via email. Cisco Talos researchers said only 6 out of 54 AV engines recognized the malware.

If the document is opened, the user will be presented with a message saying the contents of the document have been protected. To view the document, the user must ‘enable content.’ The document contains the McAfee Secure logo, making it appear as if the file has been secured by a well-known security firm. The logo makes the document look official, increasing the likelihood of macros being enabled by end users.

If content is enabled, a VBA function will be called that contains the malicious code that runs the Powershell commands. At no point are any files written into the file system. The malware runs entirely in the memory.

The Powershell remote access Trojan is able to receive commands from the attacker’s C2 and send back responses detailing the outcome of commands that have been run. While these communications can often be detected by antimalware solutions, in this case the communications are difficult to identify as they occur through the DNS.

The DNS – or Domain Name System – is used to look up the IP addresses of domains that are entered into web browsers. The DNS also allows text queries to be sent and responses to be received. These DNS TXT queries and responses are used by the malware and the attackers to communicate. The same DNS TXT records are also used as part of the email authentication process using functions such as SPF, DMARC, and DKIM.

Many organizations monitor the content of emails and web traffic, but they do not monitor the content of DNS requests. Many antivirus and antimalware solutions only scan the file system, not the memory. Consequently, infection with this Powershell remote access Trojan is unlikely to be detected.

To identify infection with this Powershell remote access Trojan, an organization would need to monitor DNS content. Since the DNS TXT records will differ from normal DNS TXT records, the communications can be identified.

The easiest method of preventing infection is to disable macros. If macros cannot be disabled, they should be set not to run automatically when opening a document. End users should then be instructed never to enable macros unless they are 100% certain of the origin of the file.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news