Glimpse malware uses alternative DNS to evade detection

News by Rene Millman

APT34 hacker group behind PowerShell-based malicious code

Security researchers have detailed how the Glimpse malware uses a text mode as an alternative DNS resource record type.

According to a blog post by security researchers Jon Perez and Jonathan Lepore at IronNet, the malware is written in PowerShell and associated with APT34. It is executed by Visual Basic script, yet how the script is initiated remains unclear, researchers said.

They added that the malware is similar to the PoisonFrog malware. Both use "A" resource records to communicate with their controller. Glimpse differs by its ability to use text mode as an alternative DNS resource record type. This allows it to provide tasking in fewer transactions. Additionally, instead of relying on existing .NET DNS libraries, it manually crafts its DNS queries and communicates directly with the controller.

After Glimpse starts, it checks for the existence of a directory and lock file, If no directory or lock file is found, Glimpse creates one. Alternatively, if these do exist and the lock file is older than 10 minutes, the lock file is deleted and the previously running Glimpse script is killed.

"Glimpse does not take advantage of the recursion typically observed in DNS communications (ie, the infected victim sends DNS queries directly to the controller). Communicating directly to the controller, while operationally viable, may not be successful in environments that limit the use of external DNS servers," said researchers.

The researchers said that the differences between PoisonFrog and Glimpse" highlight the ease at which adversaries can modify their tools to meet their end objectives".

They added that several methods can be used to identify this type of C2 activity.

"Performing entropy calculations on subdomain labels can help highlight the amount of randomness in a label, but this is just one of many possible data analysis points, since a standalone feature may not be enough to determine whether traffic is malicious," said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that it’s unclear how the malware infects companies to begin with. 

"Knowing the initial infection vector can help companies greatly in preventing infection altogether. It is why covering the most common ways into a company are increasingly important, these include phishing, compromised credentials, or through exploiting unpatched software," he said. 

"In the absence of such information,  companies need to rely on robust threat detection processes and controls whereby they can actively look for the indicators of compromise and block any malicious activity taking place."

Peter Draper, technical director EMEA at Gurucul, told SC Media UK that APT34, from past information, appear to have some very skilled operatives. 

"Building c2 malware which could be used to send and receive any data to infected hosts and then using this in a multitude of ways including spearphishing and even using LinkedIn invitations," he said. 

"Organisations need to have a very good view of their estate, what traffic is normal and what user behaviour is normal to be able to identify this type of traffic as abnormal. Using DNS as the control mechanism is very smart as there is a huge amount of DNS traffic on most networks so easy for this traffic to be missed. This is where modern machine-learning based systems will be able to identify the anomalous DNS traffic associated with the C2 commands."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews