Light Dark
November 12, 2019 By Shane Schick 2 min read

The use of text mode as an alternative Domain Name System (DNS) resource record type is giving the Glimpse malware a greater ability to evade detection, security researchers have discovered.

Full details on how the malware’s script works remain unclear, but it is written in PowerShell, executed in Visual Basic and is associated with the APT34 group, according to a blog post published by IronNet. It is also similar to malware dubbed PoisonFrog, in that it communicates with its controller by using “A” resource records. Glimpse, however, uses fewer transactions to provide tasking by using text mode, researchers said.

DNS as Network Disguise

Once it has managed to infect a particular machine and checks for a directory and lock file, Glimpse deletes the file if it is older than 10 minutes and creates a new one. If it is operating in text mode, the malware then transmits a DNS query it has manually created over a UDP Socket.

Random data is inserted into the query string with the AdrGen function as the malware tests its ability to send and receive between the infected machine and the cybercriminals’ command and control (C&C) server.

All this means that Glimpse can use something other than existing .NET DNS libraries, which researchers said shows how well the authors of such threats, including PoisonFrog, can change up their approach to achieve a specific objective. Given the level of DNS traffic that runs over corporate networks, Glimpse’s techniques make it far easier for it to be overlooked by IT security teams.

The Best Way to Spot Glimpse

The researchers suggested that chief information security officers (CISOs) could possibly avoid such threats by trying to recognize the randomness in subdomain levels by performing what are known as entropy calculations. They admitted, however, that this approach might not be comprehensive enough to know with certainty that the traffic in question is laden with malware.

Other options include the use of ahead-of-threat detection, which can help organizations spot phishing websites that might lead to malware like Glimpse that winds up on the network. A solid traffic analytics platform, meanwhile, can provide real-time alerts as well as attack prediction.

 |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature