Malware Execution Method Using DNS TXT Record

AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware.

This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware.

DNS TXT record is a feature that allows domain administrators to input text into the DNS. Originally intended for the purpose of entering human-readable notes, the DNS TXT record is now being used to display various types of information saved in the DNS, such as spam email prevention, domain ownership verification, and more.

A brief explanation of the two primary purposes of DNS TXT records, namely 1) spam email prevention and 2) domain ownership verification, is as follows:
Threat actors who send spam emails often attempt to disguise (spoof) the domain the spam is sent from. In such cases, the server receiving the email performs a verification process to determine if the email originated from a trusted source. The key element used in this process is the DNS TXT record.
Secondly, domain administrators can prove their ownership of a domain by uploading a TXT record containing specific information, or by modifying the existing TXT record.

However, the method of utilizing DNS TEXT records by the malware introduced in this post deviates slightly from the common direction mentioned above in which DNS TXT records are typically utilized. Instead, it can be considered closer to its original intended purpose of entering DNS-related information.

Figure 1. Phishing email containing a malicious PPAM file attachment

The threat actor attached a PowerPoint add-in (PPAM) file pretending to be an “Order Inquiry” in a phishing email. PPAM files are add-in files that can be executed on PowerPoint and contain special features such as user-defined macros and VBA code. When the PowerPoint macro is executed, it can be seen in the process tree below that the nslookup management tool is being executed through PowerShell.

Figure 2. Process tree from RAPIT, AhnLab’s automatic malware analysis infrastructure
Figure 3. Macro code in the PPAM file

As shown in Figure 3, the macro code that exists within the PPAM file is quite simple. Upon execution of the macro, a short command is performed where PowerShell is used to run the nslookup tool, and the DNS TXT record is queried afterward. Although the macro code is not obfuscated and the content of the code is very simple, there is a notable aspect worth mentioning: the threat actor had included the execution command for their next desired process within the DNS TXT record.

It can be assumed through this that the threat actor is making various attempts on child processes to evade detection by anti-malware products.

Generally, the query results for DNS TXT records are as follows.
Figure 4 displays the DNS TXT record result for AhnLab’s domain, showing the google-site-verification token and that the SPF record has been configured.

Figure 4. Query result for normal DNS TXT record

However, as shown in Figure 5, upon inspecting the DNS TXT record of the threat actor’s server (abena-dk[.]cam), a data output that differs significantly from the typical purposes of DNS TXT records can be observed. It can be inferred through this that the threat actor had created various subdomains and performed multiple tests, including executing a calculator (calc.exe) and utilizing VBScript (vbs) files instead of JavaScript (js) files.

Figure 5. nslookup result of the various subdomains that belong to the threat actor’s web server

The threat actor uploaded various commands on their DNS TXT record such as PowerShell commands, enabling them to be executed upon a DNS TXT record query being made through nslookup. Instead of simply writing a PowerShell command in the macro code, the threat actor used a novel method that incorporated the use of the nslookup tool to execute malware.

Subsequently, the methewPayload.js file in the PowerShell command’s URL is saved as meth.js before being executed through wscript.exe. The meth.js file downloads a Base64-encoded binary from another external URL through PowerShell.

Figure 6. Encoded PE stored in an external URL

The Base64-encoded data that can be acquired from the external URL is a DLL binary. It is not a newly discovered type of malware, but rather one created by a hacking group known as Hagga (Aggah), which has been circulating since the latter half of 2021. The threat actor was deduced through the overall tactics, techniques, and procedures (TTP), such as the initial distribution attempt involving documents files embedded with malicious macros, names of characteristic functions and variables that can be found in known .NET-based code, the use of the StrReverse function, and the way it downloads additional malicious files from an external source before executing them in the memory. The additionally downloaded malicious file has been identified as being a .NET-based Infostealer like AgentTesla.

V3 detects and blocks the malware introduced in the post using the aliases below.

[File Detection]
Downloader/PPT.MalQuery (2023.06.16.00)
Downloader/JS.Runner (2023.06.16.00)
Trojan/Win.Generic.R526355 (2022.10.12.00)
Trojan/Win.Injector.C4641320 (2021.09.22.01)

[Behavior Detection]
Execution/MDP.Powershell.M2514

[IOC]
f6b8a4c6ed15a1a17896797ce3fe2440
4a647e9baffe95acb9e2ec989b23808b
2a59f2a51b96d9364e10182a063d9bec
hxxp://abena-dk[.]cam
hxxp://calc.abena-dk[.]cam
hxxp://blessed.abena-dk[.]cam
hxxp://methew.abena-dk[.]cam
hxxps://bitbucket[.]org/mounmeinlylo/rikirollin/downloads/methewPayload.js
hxxps://bitbucket[.]org/mounmeinlylo/rikirollin/downloads/blessed_Payload.js
hxxps://bitbucket[.]org/mounmeinlylo/rikirollin/downloads/test_Payload.vbs
hxxps://firebasestorage.googleapis[.]com/v0/b/fir-8c14f.appspot.com/o/rumpe_js.txt?alt=media&token=0ebb3747-9f9d-427c-a6fd-d0c057ba176e

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Malware Execution Method Using DNS TXT Record appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/54916/