Hackers Can Use DNS TXT Records to Execute the Malware

DNS TXT record enables domain administrators to input text into DNS, initially for human-readable notes, but now it’s utilized for diverse purposes like:- 

  • Spam prevention
  • Domain ownership verification

Spam email senders disguise domains to evade detection, but servers verify emails using the DNS TXT record as a key element.

EHA

Moreover, the domain owners can verify their ownership by uploading a TXT record with specific information or modifying the existing one.

ASEC from AhnLab has confirmed the use of DNS TXT Records in malware execution, which is a rare technique that holds importance for detection and analysis purposes.

Malware Execution using DNS TXT Records

The malware uses DNS TXT records differently, closer to the original purpose of entering DNS-related info, rather than the common method mentioned earlier.

A malicious PPAM file attachment in Phishing email (Source – AhnLab)

A phishing email included a fake “Order Inquiry” with a PowerPoint add-in (PPAM) file. PPAM files have user-defined macros and VBA code, and executing the PowerPoint macro triggered PowerShell’s nslookup management tool.

Macro code in the PPAM file (Source – AhnLab)

Within the PPAM file, the macro code is straightforward, and when executed, it runs PowerShell for nslookup, querying the DNS TXT record. The threat actor included the command for their next process in the DNS TXT record.

The threat actor’s multiple attempts on child processes suggest an evasion strategy against anti-malware solutions and other related products.

Analyzing the DNS TXT record of the threat actor’s server (abena-dk[.]cam) reveals a unique data output, deviating from typical DNS TXT record purposes. 

It suggests that the threat actor experimented with subdomains, executed calculator (calc.exe), and instead of JavaScript (js) files, employed the VBScript (.vbs) files.

nslookup result of the various subdomains (Source – AhnLab)

The threat actor employed an unexplored method by uploading PowerShell commands on their DNS TXT record, enabling execution upon nslookup query.

This approach differed from the traditional practice of writing PowerShell commands directly in the macro code and allowed for malware execution.

After saving as meth.js, the methewPayload.js file’s PowerShell URL is used with wscript.exe to execute it, and then it downloads a Base64-encoded DLL binary from an external URL.

This malware type isn’t new but rather originated from the hacking group Hagga (Aggah) and has been circulating since late 2021. 

Based on TTP analysis, the threat actor employed various methods, including:-

  • Distributing documents with malicious macros
  • Using characteristic .NET code elements
  • Employing the StrReverse function
  • Downloading additional malicious files
  • Executing additional malicious files

While the downloaded file was identified as an AgentTesla, that is a . NET-based Infostealer.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.