DNSMessenger
DNSMessenger is a Remote Access Trojan (RAT), which does not have the long list of features that other popular RATs tend to boast. However, it makes amends for its lack of features by being much more difficult to detect compared to regular Trojans certainly. One of the primary reasons for this is because it barely leaves any data on the victim’s computer, and operates through PowerShell commands entirely - therefore reducing the footprint it would leave on the targeted system when compared to other notable threats of this type greatly.
The DNSMessenger first popped on the radar of malware researchers in 2017, but since then it has been used in multiple large-scale campaigns that targeted different regions and sectors. One of the most recent threatening campaigns involving this particular malware strain focuses on institutions in the United States, and it appears that the attackers are hosting some of the corrupted scripts used in the attack on compromised government websites. The propagation method used is spear phishing emails that are designed to look as if they were sent out by the Securities and Exchange Commission (SEC.) The emails also contain Microsoft Word attachments that are branded and formatted just like legitimate documents used by SEC. However, users who download and open them might be prompted to authorize the document to retrieve and execute data from linked files – the linked files contain a bad script that is meant to set off the infection process.
The DNSMessenger performs several checks on the victim’s machine to identify the version of PowerShell they use, as well as if the level of privileges they have. Depending on the result, it may use different methods to gain persistence – this recent campaign programmed the DNSMessenger to activate 30 minutes after the user logs in.
Once the DNSMessenger is deployed successfully, it may establish a connection with one of the attackers’ remote servers, and then receive instructions from it. As already mentioned, DNSMessenger works with PowerShell commands that could allow the attackers to execute all sorts of operations on the compromised system, as long as the victim has the necessary administrator privileges.
Protecting computers from DNSMessenger and similar threats is a multi-stage process that requires instructing employees to be more careful about the files they download from the Web if they are from an unknown source or email sender especially. Furthermore, securing computers with a reputable anti-malware product is a must since this is the best way to prevent advanced schemes like this one from working out.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.