SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dnsmessenger (Back to overview)

DNSMessenger

aka: TEXTMATE

Actor(s): Anunak


DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.

References
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-03-31APNICDebashis Pal
@online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-10-11Wraith Hacker BlogWraith Hacker
@online{hacker:20171011:more:9040492, author = {Wraith Hacker}, title = {{More info on 'Evolved DNSMessenger'}}, date = {2017-10-11}, organization = {Wraith Hacker Blog}, url = {http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/}, language = {English}, urldate = {2019-10-12} } More info on 'Evolved DNSMessenger'
DNSMessenger
2017-10-11Cisco TalosEdmund Brumaghin, Colin Grady, Dave Maynor, @Simpo13
@online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } Spoofed SEC Emails Distribute Evolved DNSMessenger
DNSMessenger
2017-03-02CiscoEdmund Brumaghin, Colin Grady
@online{brumaghin:20170302:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-03-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2023-07-05} } Covert Channels and Poor Decisions: The Tale of DNSMessenger
DNSMessenger

There is no Yara-Signature yet.