Spearal (Backdoor) – Malware

Overview

Spearal is a highly sophisticated backdoor malware that leverages DNS tunneling for covert communication with its Command and Control (C2) server. Written in .NET, Spearal is designed to operate stealthily within a victim’s network, making it particularly challenging for traditional security measures to detect. Unlike more conventional malware that communicates over HTTP or HTTPS protocols, Spearal utilizes DNS queries to transfer data, exploiting a protocol typically overlooked by many network monitoring systems. This use of DNS tunneling allows Spearal to bypass firewalls and intrusion detection systems, ensuring its persistence within an infected environment.

Once deployed, Spearal establishes a persistent connection to the C2 server, enabling the attacker to remotely control the infected system. The malware’s configuration file contains key information such as the server address and other parameters that dictate its behavior. Spearal sends data encoded in base32 format through DNS queries, which are directed to a predefined domain, or if none is specified, defaults to iqwebservice[.]com. This approach not only conceals the malware’s communication but also provides an additional layer of security by encoding transmitted information, making it harder for security professionals to identify the data as malicious.

Targets

Public Administration

Information

How they operate

At its core, Spearal relies on a DNS-based communication method, where it sends base32-encoded data within the subdomains of DNS queries. The malware retrieves the C2 server address from its configuration file, under the “srvip” field, or defaults to the domain iqwebservice[.]com. This domain serves as the endpoint for all communications between the infected system and the attacker. The malware uses a series of DNS TXT records, which are designed to carry arbitrary data. These TXT records are not only used for sending commands to the C2 server but also for receiving responses, making this a two-way communication channel that can be used for a variety of malicious actions.

The operation of Spearal begins with an initial authentication step. When the malware first connects to the C2 server, it sends a base32-encoded DNS query containing the string “auth:;” followed by the username. The server responds with a target_comm_id, which serves as a unique identifier for the infected machine and will be used in all subsequent communications. This mechanism allows the attacker to track and control multiple infected machines individually. The malware continues to use this target_comm_id in future queries to request specific commands and send results back to the C2 server.

Once the authentication is complete, Spearal enters its command-requesting phase. The malware sends a DNS query with the string “cmd:;” followed by the target_comm_id. In response, the C2 server provides one of several commands that dictate the actions the malware will perform. These commands include executing PowerShell scripts on the infected machine, downloading files and sending them to the C2 server, or uploading content from the C2 to the infected machine. The malware’s use of DNS queries for all communications ensures that these actions are discreet and difficult to detect by conventional monitoring systems.

When the malware executes a command, the results are sent back to the C2 server in small, segmented chunks to avoid detection. The first message contains a “crs:;” query, which indicates the start of a command result transfer, followed by the command ID and the number of chunks needed to transfer the data. Each chunk is transmitted via a “crb:;” query, which includes the command ID, chunk index, and the chunk data itself. The C2 server responds with either an acknowledgment message (“rok:;”) or the final “end” response when the data transfer is complete. This process ensures that large amounts of data can be sent without triggering alerts from intrusion detection systems that monitor for large, unusual transfers.

Spearal’s use of DNS tunneling, combined with its ability to encode and segment communication, allows it to fly under the radar of many network defenses. This method not only evades conventional security tools but also provides the attacker with a reliable, persistent communication channel that can be maintained for long periods. The malware’s design demonstrates the growing sophistication of cyber threats, as it exploits trusted protocols and encoding techniques to carry out a variety of malicious operations while avoiding detection. Understanding the technical workings of Spearal is essential for developing detection mechanisms and defensive strategies to counteract such advanced threats.

References

• Targeted Iranian Attacks Against Iraqi Government Infrastructure