Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Used Government Servers in DNSMessenger Attacks

A recently discovered DNSMessenger campaign is abusing compromised U.S. state government servers to host malware, Cisco Talos security researchers say.

A recently discovered DNSMessenger campaign is abusing compromised U.S. state government servers to host malware, Cisco Talos security researchers say.

First uncovered in early March, the DNSMessenger attack involved the use of DNS requests to establish communication between a PowerShell RAT and its command and control (C&C) servers. Completely fileless and invisible to most standard defenses, the attack was highly targeted and researchers attributed it to a sophisticated threat actor.

Cisco now says that additional attacks leveraging this type of malware were discovered, targeting several organizations in an attempt to infect them with malware. Specific to this campaign is the use of DNS TXT records to create a bidirectional C&C channel and directly interact with the Windows Command Processor.

The attackers use spear phishing emails to spread the malware and leverage U.S. state government servers to host the malicious code necessary in the later stages of the infection chain. The emails, Cisco reveals, are spoofed to seem as if they were sent from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.

In March this year, attacks targeting U.S. organizations and focused on personnel that handle filings to the SEC were attributed to the hacking group known as FIN7. The incidents were later tied to a framework used in the DNSMessenger campaign as well, as all attacks were supposedly orchestrated by a single threat group.

“The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate,” Cisco Talos reports.

The spear phishing emails used in the new attack contained attached Microsoft Word documents (also made to appear as if originating from SEC) that would leverage Dynamic Data Exchange (DDE) to perform code execution. When opened, the documents would prompt the user to allow the retrieval of content from included external links.

Advertisement. Scroll to continue reading.

The DDEAUTO field used by the malicious document retrieved code initially hosted on a compromised Louisiana state government website. The downloaded code is executed using PowerShell and is responsible for achieving persistence and starting the next stage of the infection chain.

Heavily obfuscated, the next stage of infection establishes communication with the C&C and receives code via DNS. When this step is completed, the result string is decoded and decompressed and then passed to the Powershell IEX cmdlet to execute the code retrieved.

Cisco’s researchers weren’t able to obtain the next stage of PowerShell code from the C&C server and believe that this could be so because of the highly targeted nature of the attack. The actors behind the operation might be restricting communications to evade analysis.

Other researchers, however, were able to retrieve the code and reveal that it contains the usual set of information gathering capabilities. The stage 4 code, which includes a different structure of DNS records being used for commands, apparently exfiltrates data via a hardcoded web form.

This attack, Cisco concludes, shows the level of sophistication associated with threats facing organizations today: it includes multiple layers of obfuscation, it limits compromise to only the organizations of interest, and uses new techniques to execute malicious code on systems (leverages WMI, ADS, scheduled tasks, and registry keys to obtain persistence).

Related: SEC Says It Was Hacked in 2016

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Related: Researchers Uncover Sophisticated, Fileless Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.