DNS TXT Records Can Be Used by Hackers to Execute Malware
DNS TXT file permits domain administrators to input textual jabber material into DNS, at the origin for human-readable notes, but now it’s utilized for various functions fancy:-
- Spam prevention
- Arena ownership verification
Spam electronic mail senders disguise domains to evade detection, but servers verify emails utilizing the DNS TXT file as a key aspect.
Moreover, the domain owners can verify their ownership by importing a TXT file with command files or modifying the prevailing one.
ASEC from AhnLab has confirmed the utilization of DNS TXT Files in malware execution, which is a rare formulation that holds importance for detection and diagnosis functions.
Malware Execution utilizing DNS TXT Files
The malware makes insist of DNS TXT files otherwise, nearer to the distinctive reason of coming into DNS-linked files, in space of the total scheme talked about earlier.
A phishing electronic mail incorporated a inaccurate “Notify Inquiry” with a PowerPoint add-in (PPAM) file. PPAM recordsdata beget user-defined macros and VBA code, and executing the PowerPoint macro triggered PowerShell’s nslookup administration instrument.
Interior the PPAM file, the macro code is easy, and when accomplished, it runs PowerShell for nslookup, querying the DNS TXT file. The menace actor incorporated the assert for his or her next direction of within the DNS TXT file.
The menace actor’s a pair of attempts on child processes suggest an evasion approach in opposition to anti-malware alternate ideas and different linked products.
Analyzing the DNS TXT file of the menace actor’s server (abena-dk[.]cam) unearths a uncommon files output, deviating from frequent DNS TXT file functions.
It means that the menace actor experimented with subdomains, accomplished calculator (calc.exe), and in desire to JavaScript (js) recordsdata, employed the VBScript (.vbs) recordsdata.
The menace actor employed an unexplored scheme by importing PowerShell commands on their DNS TXT file, enabling execution upon nslookup seek files from.
This scheme differed from the venerable apply of writing PowerShell commands straight within the macro code and allowed for malware execution.
After saving as meth.js, the methewPayload.js file’s PowerShell URL is frequent with wscript.exe to achieve it, and then it downloads a Base64-encoded DLL binary from an exterior URL.
This malware kind isn’t contemporary but reasonably originated from the hacking group Hagga (Aggah) and has been circulating since leisurely 2021.
In step with TTP diagnosis, the menace actor employed a type of suggestions, including:-
- Distributing documents with malicious macros
- Utilizing attribute .NET code ingredients
- Employing the StrReverse characteristic
- Downloading extra malicious recordsdata
- Executing extra malicious recordsdata
Whereas the downloaded file was identified as an AgentTesla, that is a . NET-primarily based Infostealer.
“AI-primarily based electronic mail safety measures Defend your alternate From Email Threats!” – Inquire a Free Demo.
Source credit : cybersecuritynews.com