fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Attackers Abuse Google DNS Over HTTPS To Download Malware

Attackers Abuse Google DNS Over HTTPS To Download Malware

Earlier this year, BleepingComputer reported on hackers hiding malware in fake Windows error logs.

After gaining access to a Windows system and achieving persistence, the malware would read from a “.chk” file that impersonated event logs.

The apparent hexadecimal characters on the right side are actually decimal characters used to construct an encoded payload via rogue scheduled tasks.

More information has emerged on this complex malware and some other sinister tasks it carries out.

Windows fake error logs containing payload used by the malware

Google DNS over HTTPS

While revisiting the malware sample, researchers at MSP threat detection provider Huntress Labs noticed a suspicious URL in the PowerShell code they had previously analyzed:

https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt

The suspicious domain “jqueryupdatejs.com” immediately caught the attention of John Hammond, Senior Security Researcher at Huntress Labs.

While Google DNS is being used to resolve the suspicious domain, the response returned via Google DNS contains the malicious payload in an encoded form, as verified by BleepingComputer:

Google DNS response with the “data” field containing the malicious payload
Source: BleepingComputer

Hammond has provided BleepingComputer with some additional insights:

“This technique of requesting DNS records over HTTPS is nothing novel, but it is very clever. Oftentimes DNS filtering is in place on a corporate network, to block access to malicious websites… but blocking web traffic to https://google.com, over a secure HTTPS connection? That’s unheard of.”

Hammond states while DNS over HTTPS is becoming popular, it isn’t specific to malware and has legitimate use cases.

“DNS over HTTPS (DoH) is becoming more prevalent with the conversation of security versus privacy. It’s not a technique specific to malware — it has its own normal use case in the real world. It just so happens that since there are so many defensive protections on other communications and exfiltration techniques, DoH is becoming a more viable option for attackers.”

“Using an external server and even a dynamic DNS entry benefits the hacker by allowing them complete customization and control in their attack. If they ever need to swap out the malicious payload or adjust the servers used for triaging, they can do that without relying on their access to the victim.”

Not a DKIM signature. These are C&C IPs!

To the casual eye, the “data” field value returned by the Google DNS query may look like a DKIM signature but this is yet another deceptive trick employed by the attackers.

This value appears to be a base64 encoded string but there is a caveat. Attempting to decode the entire string at once using a base64 decoder produces gibberish data.

This is because the “/” character serves as a separator (much like a space) and isn’t part of the payload.

When decoding each value separated by the “/” separately, Hammond yet again obtained different base64 values. Decoding these a second time revealed large numbers:

1484238688
1484238687
238837
2388371974
2388372143

These are nothing but decimal representations of valid IP addresses. For example, typing 1484238687/ in a web browser address bar resolves to http://88.119.175.95/ (we do not recommend attempting this).

The original payload would pick any one of these IP addresses at random to download the next stage payload. 

The innocuous-looking DNS lookup query provided flexibility to the attackers to make the Command and Control (C&C) infrastructure dynamic. They could change the C&C server IP list at will, by simply updating the DNS responses.

“Keep in mind, the attacker had flexible control of these last few payloads — the jqueryupdatejs.com domain and that TXT entry were external and could be easily updated or changed, the third-party malware servers could be moved in and out of the rotation, and the final payload that was retrieved could certainly be customized at any time,” reads Huntress Labs’ blog post.

Also read: How To Make A PDPC Complaint: With Its Importance And Impact

Clever, evasive malware

In addition to all the obfuscation techniques it uses to “hide in plain sight,” the malware renames some of its executables to legitimate, active Windows processes to further evade detection. 

Hammond told BleepingComputer, “The sheer amount of obfuscation present in this malware is, yes, alarming — but also, from the offensive point of view, genius. Using these native binaries ensures the execution of these programs is allowed, and masking the payloads under layers and layers of complexity helps it slide right under the radar. These techniques make ‘old malware’ look different. Typical off-the-shell antivirus products might be oblivious to this.”

With tradecrafts like these becoming more and more common, Hammond recommends manual investigation is a must, as opposed to just relying on automated security controls.

“We found this malware from our own manual analysis. Obviously, there is an incredible benefit from having an automated, always-on antivirus and endpoint protection suite… but this lacks the context that humans have. Manual investigation is a must,” he said.

Detailed findings on this malware sample have been shared by Huntress Labs in their blog post.

Also read: 10 Tips For Drafting Key Terms In A Service Agreement

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us