This blog was written by Brett Kelsey.
In early March, Cisco Systems’ Talos security team issued a detailed report on a newly discovered attack called DNSMessenger. The attack makes a skillful use of Windows PowerShell, DNS TXT and Microsoft Word macros to silently infect a victim’s computer without creating files. Known as “fileless malware,” this technique makes the infection nearly invisible to today’s standard anti-intrusion and anti-malware scanners. It’s an imaginative use of common system tools and protocols, and it highlights just how stealthy cybercriminals can be when executing targeted attacks.
DNSMessenger unfolds over several stages — infection, endpoint environment scanning, establishing bidirectional communications to the command and control server and achieving persistence via backdoors and Remote Access Trojans (RATs) — through its clever use of DNS TXT. DNS, or Domain Name System, is typically used to look up and establish connections to websites, but it can also be used to send additional information. In this case, it was used to facilitate bidirectional communications between the infected endpoint and the command and control server with unformatted text.
So how, exactly, does this attack unfold? Like many targeted spear phishing attacks, it starts with an infected document. In this case, it starts with an infected Microsoft Word document claiming to be protected by, well, McAfee. When a victim opens the infected file, they’re asked to enable macro content. If the victim does this, then the macro quietly launches Microsoft PowerShell, a versatile and widely used scripting language, and the attack will begin in earnest.
DNSMessenger then begins scanning its immediate environment. Specifically, it looks for the privileges granted to the current user and which version of PowerShell is installed on the endpoint. Using this information, it takes the necessary course of action to quietly establish persistence. Once persistence is achieved, it establishes two-way communications with the command and control server. The command and control server will then send instructions through DNS TXT to the infected endpoint. That infected endpoint will then use those instructions to both relay information and look for new orders at a predetermined domain address.
This is a well-honed, targeted attack that was likely used for very specific targets. Nonetheless, it highlights a marked progression in cybercriminal capabilities, especially in stealthy, fileless attacks.
For a long time, fileless attacks were a bit of an oddity. While it’s true they didn’t leave files, they often left small binary breadcrumbs on disk. They could be scanned, if you knew where to look for them. Today’s fileless attacks, like DNSMessenger, are quite advanced by comparison. They leave no trace on disk, making scanning based on static elements difficult. Registry entries, too, are either obfuscated or dynamically-changed, making registry detection difficult as well. These fileless attacks can also neuter process-based detection by crafting the attack so no independent processes are running in memory. They are, in most cases, invisible, and are therefore a very attractive attack method. You can see how today’s fileless infections are deployed in this diagram:
This doesn’t mean, however, that fileless attacks can’t be prevented. In fact, best practices are solid deterrents against this type of attack. For example, admin privileges should be revisited on all endpoints. All endpoints, too, should be fully patched and updated. Education is a strong deterrent too, especially when employees are given lessons on safe browsing and smart email practices.
Security teams should take a closer look at default configurations and nominally benign tools like PowerShell, Apple Script and WMI and limit their access accordingly. They should secure and harden alternate communications protocols, like DNS TXT, as they are now more likely to be used as attack vectors. Finally, and for DNSMessenger in particular, teams should prevent remote script or binary execution through browsers.
Structural improvements, too, can help. Organizations should invest in advanced email and web protection technologies to shield users from initial attack vectors. Some modern endpoint security technologies are sufficiently advanced to detect fileless attacks, especially if those technologies include behavior-based detection. As time goes on, security technologies will be able to reliably pick up and prevent fileless malware from even reaching an endpoint. Next generation machine learning is particularly promising, as it will eventually grow into full memory protection in addition to its current file-based protection abilities.
Until then, however, organizations should follow best practices and security teams, as always, should keep an eye out for any discrepancies.
To learn more about fileless malware and other kinds of cyberthreats, follow us on Twitter @McAfee.