Glimpse
Glimpse is a cyber-threat that is yet to be researched thoroughly, but malware experts have already managed to identify some of the key features of this threat. One of the unique things about it is the method it uses to communicate with the control server of the attackers – instead of using the noisy HTTP or FTP connections, it relies on the DNS protocol. However, using the DNS protocol to establish a communication channel between the malware and the control server has some drawbacks – for example, sending a command via the DNS protocol may be simple, but receiving a meaningful response is difficult to achieve. This is because different types of DNS records are limited severely in terms of the amount of data they can send out and, furthermore, they only support specific characters.
Another Malware Uses the DNS Protocol for Communication with the Control Server
The DNS protocol supports four primary record types:
- A Records – These are the most primitive type, and their primary purpose is to connect a domain (or sub-domain) to an IP address.
- CNAME (Canonical Name) Records – They serve a similar purpose, but instead of referring a domain (or sub-domain) to an IP address, they redirect to another hostname.
- MX (Mail Exchanger) Records – MX Records are used to instruct domains on how to route emails according to the owner's preferences. They are similar to A records, but they have a 'priority' property, which is used to determine which mail server should be used in case the primary one is not responding.
- TXT Records – TXT Records are typically used for storing text. The text type may vary, but it is typically related to domain ownership (address, contact, name, etc.) In other cases, it may be used for verification purposes, such as storing Sender Policy Framework (SPF) data.
In the case of the Glimpse malware, the threat actors make use of two DNS Records – A type and TXT type. The A-type is the primary method used, but the malware also supports the use of TXT records for communication. Another interesting thing about the Glimpse malware family is that it can use DNS queries – pre-made ones for A records, and custom-built ones for TXT records.
The Glimpse Backdoor is Designed for Stealth
Glimpse is meant to serve as a persistent backdoor that keeps a low profile by using the DNS protocol for communication. Many security software and firewalls do not check or filter DNS communication for suspicious traits since this may often interfere with the job of legitimate services and applications. However, developing malware that uses DNS to receive and exfiltrate information is no easy task, especially since the usage of this protocol will limit the threat's abilities severely. The authors of Glimpse are suspected to belong to APT34 (also known as OilRig), a dangerous Advanced Persistent Threat (APT) group that has the expertise and experience needed to develop a threat that uses DNS for C2 tunneling certainly.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.