Evolved DNSMessenger distributed via SEC spoofed emails


The Internet has certainly turned into an interesting place as of late. Apart from being used as a well of information it, unfortunately, is now also a battleground. Countries engage in a very real cyber warfare and try to outdo themselves with each subsequent maneuver. Government services are targeted and it almost seems like hackers are now playing a very elaborate game, trying to find the weaknesses and exploit them. Who knows, maybe they are. And what we’re going to talk about now, is an email campaign – phishing emails sent out are disguised as messages from the Securities and Exchange Commission (or SEC) – from its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, to be more specific.

There was an attachment within those emails, disguised as Microsoft Word document, that started the infection process as soon as it was opened. The computer then got compromised with DNSMessenger malware. And macros or OLE objects weren’t leveraged here, which is interesting, as that’s what usually happens with these types of attacks. Code execution was performed by leveraging Dynamic Data Exchange (or DDE). Microsoft has decided that this is not the functionality that should be removed, due to it being the feature by design, so nothing stops the hackers from abusing it to carry out their attacks.

Once the attachment is opened, the user gets informed about links to external files contained in the document. He or she then gets asked for permission to retrieve and display those files and, should such permission be given, the code is retrieved and executed, which opens the way for the infection to start. It should be noted that the DDEAUTO field employed by the attachment retrieved the code that was initially hosted on a compromised Louisiana state government website. And it’s very likely that it’s been attacked to be used for that exact purpose – con artists stop at basically nothing to get what they want.

What happens next is the code being downloaded and executed directly using Powershell. To be more specific, it’s retrieved, deobfuscated, passed to the Invoke-Expression (IEX) cmdlet and then executed by Powershell. This is exactly what launches the infection process and keeps it going. Moreover, the code isn’t one-dimensional by any means and can adapt to different environments. That’s why different access privileges of the users, as well as the version of Powershell, won’t be an obstacle to it.

This attack is very sophisticated and it shows the level of threats that organizations around the world are faced with today. And the perpetrators don’t want to be discovered either – more often than not, they employ multiple layers of obfuscation. It allows them to make analyzing the attacks more difficult and also continue to operate under the radar and keep their attacks focused on certain targets. They don’t only rely on old methods to achieve their goals – they constantly come up with new ideas and are more than eager to try them out.

That’s why it’s very important to monitor the situation, have the latest version of security software installed and delete all the emails that seem suspicious at first sight. Even though people behind the attacks have a lot of tricks up their sleeves, it’s entirely possible to prevent the worst kind of scenario from unfolding. Hackers are never far behind and the online safety should become one of the top priorities in today’s world. Otherwise, the important pieces of information will just continue to get stolen and either leaked to the public or sold.


Please enter your comment!
Please enter your name here