DNSMessenger is a recently uncovered RAT (Remote Access Trojan). At first glance, DNSMessenger pales in comparison to most RATs that usually sport a far superior list of capabilities. However, as a rule goes, the devil is in the detail. DNSMessenger's strength is in its stealth. This RAT is close to undetectable as it works entirely via PowerShell, which means that DNSMessenger leaves minimal traces of its activity behind.
DNSMessenger was first detected back in 2017 and ever since it has been employed in a number of attacks worldwide. In previous attacks, the authors of DNSMessenger used the classic phishing method of spam email campaigns. These fraudulent emails contained a macro-laced Word document, which upon opening would execute a series of commands that would deploy and initialize DNSMessenger's core module.
However, DNSMessenger has taken a different approach recently. The latest notable attack took place in the United States. The authors of DNSMessenger have chosen to host their corrupted scripts on United States government websites that they have infiltrated. DNSMessenger is not only extremely sneaky but also a master at disguise. Once again, the attackers have chosen to spread DNSMessenger via phishing emails but instead of using a macro-laced document they use an embedded link that leads to a compromised file hosted on a remote server. The emails pose as a message sent by the Securities Exchange Commission (SEC) and are very well crafted mimicking the legitimate document formats that the SEC uses. The attachment included in the email does not contain corrupted scripts – however, it prompts the user to authorize it to access a linked document that supposedly contains important information. The linked document is hosted on a government website whose security is likely to have been compromised, and it contains a script that is meant to initialize the deployment of DNSMessenger on the targeted computer.
Once DNSMessenger manages to sneak into your system, it would perform a scan intended to check what version of PowerShell you have. It would also check what the privileges are. The authors of the DNSMessenger have implemented a small piece of logic, which helps the malware determine what sort of method it should use to gain persistence – for example, it would use one method if the user has administrator rights, and another if they are just a regular user. Regardless of choice, DNSMessenger will always use settings that allow it to start exactly 30 minutes after the computer boots up.
When DNSMessenger fires up, it would connect to the remote servers of the authors and act accordingly to what it is being instructed by its creators. As long as the victim has administrator privileges, the attackers will be able to perform whatever commands they wish using PowerShell.
With so many threats lurking in the shadows online one can never be too cautious. Both individuals and companies need to learn how to spot red flags and stay safe. A good start would be installing a reputable security suite and keeping all your software up-to-date to reduce the risk of vulnerabilities.