DNS TXT record enables domain administrators to input text into DNS, initially for human-readable notes, but now it’s utilized for diverse purposes like:-
- Spam prevention
- Domain ownership verification
Spam email senders disguise domains to evade detection, but servers verify emails using the DNS TXT record as a key element.
Moreover, the domain owners can verify their ownership by uploading a TXT record with specific information or modifying the existing one.
ASEC from AhnLab has confirmed the use of DNS TXT Records in malware execution, which is a rare technique that holds importance for detection and analysis purposes.
Malware Execution using DNS TXT Records
The malware uses DNS TXT records differently, closer to the original purpose of entering DNS-related info, rather than the common method mentioned earlier.
A phishing email included a fake “Order Inquiry” with a PowerPoint add-in (PPAM) file. PPAM files have user-defined macros and VBA code, and executing the PowerPoint macro triggered PowerShell’s nslookup management tool.
Within the PPAM file, the macro code is straightforward, and when executed, it runs PowerShell for nslookup, querying the DNS TXT record. The threat actor included the command for their next process in the DNS TXT record.
The threat actor’s multiple attempts on child processes suggest an evasion strategy against anti-malware solutions and other related products.
Analyzing the DNS TXT record of the threat actor’s server (abena-dk[.]cam) reveals a unique data output, deviating from typical DNS TXT record purposes.
The threat actor employed an unexplored method by uploading PowerShell commands on their DNS TXT record, enabling execution upon nslookup query.
This approach differed from the traditional practice of writing PowerShell commands directly in the macro code and allowed for malware execution.
After saving as meth.js, the methewPayload.js file’s PowerShell URL is used with wscript.exe to execute it, and then it downloads a Base64-encoded DLL binary from an external URL.
This malware type isn’t new but rather originated from the hacking group Hagga (Aggah) and has been circulating since late 2021.
Based on TTP analysis, the threat actor employed various methods, including:-
- Distributing documents with malicious macros
- Using characteristic .NET code elements
- Employing the StrReverse function
- Downloading additional malicious files
- Executing additional malicious files
While the downloaded file was identified as an AgentTesla, that is a . NET-based Infostealer.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.