November 12, 2019 By Shane Schick 2 min read

The use of text mode as an alternative Domain Name System (DNS) resource record type is giving the Glimpse malware a greater ability to evade detection, security researchers have discovered.

Full details on how the malware’s script works remain unclear, but it is written in PowerShell, executed in Visual Basic and is associated with the APT34 group, according to a blog post published by IronNet. It is also similar to malware dubbed PoisonFrog, in that it communicates with its controller by using “A” resource records. Glimpse, however, uses fewer transactions to provide tasking by using text mode, researchers said.

DNS as Network Disguise

Once it has managed to infect a particular machine and checks for a directory and lock file, Glimpse deletes the file if it is older than 10 minutes and creates a new one. If it is operating in text mode, the malware then transmits a DNS query it has manually created over a UDP Socket.

Random data is inserted into the query string with the AdrGen function as the malware tests its ability to send and receive between the infected machine and the cybercriminals’ command and control (C&C) server.

All this means that Glimpse can use something other than existing .NET DNS libraries, which researchers said shows how well the authors of such threats, including PoisonFrog, can change up their approach to achieve a specific objective. Given the level of DNS traffic that runs over corporate networks, Glimpse’s techniques make it far easier for it to be overlooked by IT security teams.

The Best Way to Spot Glimpse

The researchers suggested that chief information security officers (CISOs) could possibly avoid such threats by trying to recognize the randomness in subdomain levels by performing what are known as entropy calculations. They admitted, however, that this approach might not be comprehensive enough to know with certainty that the traffic in question is laden with malware.

Other options include the use of ahead-of-threat detection, which can help organizations spot phishing websites that might lead to malware like Glimpse that winds up on the network. A solid traffic analytics platform, meanwhile, can provide real-time alerts as well as attack prediction.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today