November 12, 2019 By Shane Schick 2 min read

The use of text mode as an alternative Domain Name System (DNS) resource record type is giving the Glimpse malware a greater ability to evade detection, security researchers have discovered.

Full details on how the malware’s script works remain unclear, but it is written in PowerShell, executed in Visual Basic and is associated with the APT34 group, according to a blog post published by IronNet. It is also similar to malware dubbed PoisonFrog, in that it communicates with its controller by using “A” resource records. Glimpse, however, uses fewer transactions to provide tasking by using text mode, researchers said.

DNS as Network Disguise

Once it has managed to infect a particular machine and checks for a directory and lock file, Glimpse deletes the file if it is older than 10 minutes and creates a new one. If it is operating in text mode, the malware then transmits a DNS query it has manually created over a UDP Socket.

Random data is inserted into the query string with the AdrGen function as the malware tests its ability to send and receive between the infected machine and the cybercriminals’ command and control (C&C) server.

All this means that Glimpse can use something other than existing .NET DNS libraries, which researchers said shows how well the authors of such threats, including PoisonFrog, can change up their approach to achieve a specific objective. Given the level of DNS traffic that runs over corporate networks, Glimpse’s techniques make it far easier for it to be overlooked by IT security teams.

The Best Way to Spot Glimpse

The researchers suggested that chief information security officers (CISOs) could possibly avoid such threats by trying to recognize the randomness in subdomain levels by performing what are known as entropy calculations. They admitted, however, that this approach might not be comprehensive enough to know with certainty that the traffic in question is laden with malware.

Other options include the use of ahead-of-threat detection, which can help organizations spot phishing websites that might lead to malware like Glimpse that winds up on the network. A solid traffic analytics platform, meanwhile, can provide real-time alerts as well as attack prediction.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today