DNSpionage malware

Original Issue Date:- December 04, 2018
Virus Type:- Trojan
Severity:- Medium

A targeted attack campaign is reported using compromised sites and crafted documents to infect victim machines with a remote Administrator Tool called DNSpionage. The RAT is capable of building connection to C2 through DNS tunnelling so that it remain undetected in victim machine for long time by avoiding proxies or web filtering. The malware build connection to C2 by generating the request in the below mentioned form i.e. random no[.]0ffice36o[.]com where it contains random no, ID of victim.

  • The malware creates different folder which contains its own data in the location of %UserProfile%\.oracleServices/ with name of files as log.txt for logs, Downloads for storing additional scripts and tools downloaded from the C2server,Uploads directory for temporarily storing the files before exfiltration them to the C2 server.
  • On first communication with C2, malware send the victim basic information like username, hostname, system info etc. Based upon that information C2 decide the payload to send on victim machine which it stored in Download folder location. Malware also has the capability of detecting sandboxing environment and redirecting the legitimate site to malicious site which is under controlled by attacker to increase the coverage of victim.


Indicators of Compromise:

IP

  • 185.20.184[.]138
  • 185.20.187[.]8
  • 185.161.211[.]72

File Location

  • %UserProfile%\.oracleServices/
  • %UserProfile%\.oracleServices/Apps/
  • %UserProfile%\.oracleServices/Configure.txt
  • %UserProfile%\.oracleServices/Downloads/
  • %UserProfile%\.oracleServices/log.txt
  • %UserProfile%\.oracleServices/svshost_serv.exe
  • %UserProfile%\.oracleServices/Uploads/

Domain

  • 0ffice36o[.]com
  • hr-suncor[.]com
  • hr-wipro[.]com
  • l5yf.0ffice36o[.]com
  • microsoftonedrive[.]org
  • ns1.0ffice36o[.]com
  • ns2.0ffice36o[.]com
  • officeupdates[.]net
  • zto04.0ffice36o[.]com

Hashes

  • 9ea577a 4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14
  • 15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa
  • 2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec
  • 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969
  • 45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff

Recommendations:

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  • Disable macros in Microsoft Office products. Some Office products allow for disabling of macros that originate from outside of an organization and can provide a hybrid approach for the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.

References: