Skip to content

Hide Navigation Hide TOC

DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab)

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Cluster A Galaxy A Cluster B Galaxy B Level
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT 1
DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 1
DNSMessenger (ee8ccb36-2596-43a3-a044-b8721dbeb2ab) RAT DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia 1
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
TEXTMATE - S0146 (4f6aa78c-c3d4-4883-9840-96ca2f5d6d47) Malware DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia 2
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware DNSMessenger (b376580e-aba1-4ac9-9c2d-2df429efecf6) Malpedia 2
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 2
POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern POWERSOURCE - S0145 (17e919aa-4a49-445c-b103-dbb8df9e7351) Malware 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3