Light Dark
November 12, 2019 By Shane Schick 2 min read

The use of text mode as an alternative Domain Name System (DNS) resource record type is giving the Glimpse malware a greater ability to evade detection, security researchers have discovered.

Full details on how the malware’s script works remain unclear, but it is written in PowerShell, executed in Visual Basic and is associated with the APT34 group, according to a blog post published by IronNet. It is also similar to malware dubbed PoisonFrog, in that it communicates with its controller by using “A” resource records. Glimpse, however, uses fewer transactions to provide tasking by using text mode, researchers said.

DNS as Network Disguise

Once it has managed to infect a particular machine and checks for a directory and lock file, Glimpse deletes the file if it is older than 10 minutes and creates a new one. If it is operating in text mode, the malware then transmits a DNS query it has manually created over a UDP Socket.

Random data is inserted into the query string with the AdrGen function as the malware tests its ability to send and receive between the infected machine and the cybercriminals’ command and control (C&C) server.

All this means that Glimpse can use something other than existing .NET DNS libraries, which researchers said shows how well the authors of such threats, including PoisonFrog, can change up their approach to achieve a specific objective. Given the level of DNS traffic that runs over corporate networks, Glimpse’s techniques make it far easier for it to be overlooked by IT security teams.

The Best Way to Spot Glimpse

The researchers suggested that chief information security officers (CISOs) could possibly avoid such threats by trying to recognize the randomness in subdomain levels by performing what are known as entropy calculations. They admitted, however, that this approach might not be comprehensive enough to know with certainty that the traffic in question is laden with malware.

Other options include the use of ahead-of-threat detection, which can help organizations spot phishing websites that might lead to malware like Glimpse that winds up on the network. A solid traffic analytics platform, meanwhile, can provide real-time alerts as well as attack prediction.

 |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature