Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Glimpse malware uses alternative DNS to evade detection
#1
Quote:Security researchers have detailed how the Glimpse malware uses a text mode as an alternative DNS resource record type.

According to a blog post by security researchers Jon Perez and Jonathan Lepore at IronNet, the malware is written in PowerShell and associated with APT34. It is executed by Visual Basic script, yet how the script is initiated remains unclear, researchers said.

They added that the malware is similar to the PoisonFrog malware. Both use "A" resource records to communicate with their controller. Glimpse differs by its ability to use text mode as an alternative DNS resource record type. This allows it to provide tasking in fewer transactions. Additionally, instead of relying on existing .NET DNS libraries, it manually crafts its DNS queries and communicates directly with the controller.

After Glimpse starts, it checks for the existence of a directory and lock file, If no directory or lock file is found, Glimpse creates one. Alternatively, if these do exist and the lock file is older than 10 minutes, the lock file is deleted and the previously running Glimpse script is killed.

VirusTotal

Read More...
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  World First Visual AI Based Malware Detection mrtrout 0 1,131 01-31-2023 , 04:41 AM
Last Post: mrtrout
  Malware adds Any.Run sandbox detection to evade analysis tarekma7 2 3,457 07-14-2020 , 11:01 PM
Last Post: uyar64

Forum Jump:


Users browsing this thread: 1 Guest(s)