Home Malware Programs Backdoors RoyalDNS

RoyalDNS

Posted: July 19, 2019

RoyalDNS is a backdoor Trojan that can provide threat actors with access to, and control over your computer. Its presence is associated with attacks by K3chang, which compromises diplomatic and other, government-related targets preferentially. Appropriate network security measures are useful means of avoiding infections, although traditional anti-malware products should delete RoyalDNS safely.

European Royalty's Trojan Tribulations

Among K3chang's carefully-cultivated series of Trojans with backdoor and Command Shell functions, RoyalDNS is, possibly, the most selectively-deployed of them. Although it has significant resemblances to past Trojans, including BS2005, Ketrican, and the Tidepool family, its deployment extends to the relatively short period of just two years, against UK government-affiliated entities. This restricted deployment is, most likely, less implicative of inadequacy on RoyalDNS's part than it is suggestive of the criminals' hopes of avoiding analysis by rotating through their Trojan supplies.

RoyalDNS plays the part of a backdoor Trojan that helps threat actors take over and travel laterally throughout a network, just like Ketrican or BS2005. RoyalDNS is somewhat unique among these programs, for using a persistence mechanism that isn't dependent on batch scripts, for unknown reasons. In other ways, it's more similar to its fellow backdoor Trojans, especially, in its Internet Explorer-hijacking method of contacting its C&C domains.

After making contact, RoyalDNS awaits commands, which can include downloading other threats (such as Mimikatz, which is a part of K3chang's toolkit), exfiltrating information, or modifying settings or files. RoyalDNS's usage is manually-oriented and requires hackers typing commands into a CMD interface, one by one. However, with a provable knowledge over various system commands, K3chang can abuse RoyalDNS for compromising the rest of a network's PCs and misusing a variety of recon-suitable tools, like Tasklist and Netstat.

Keeping Programs from Having Unearned Royal Privilege

The average Windows user isn't likely of encountering RoyalDNS infections, which, similarly to Ketrican or its sometimes-dropper, Okrum, tend to target government diplomatic networks. Network admins should, however, take all of the usual precautions for hardening their systems from any attacks. These steps include, but aren't limited to:

  • Using secure passwords that don't match easily-guessable or factory-default values will keep threat actors from brute-forcing your logins.
  • Updating software, when appropriate, can close potential remote code-executing vulnerabilities like CVE-2019-2725 (used in deploying the REvil Ransomware).
  • Disabling RDP features should be considered mandatory for eliminating the possibility of an attacker gaining admin privileges.
  • E-mails should receive thorough inspections for potential phishing exploits and tactics, such as attached documents carrying macros with threat-downloading capabilities.

Similarly, keeping one's anti-malware services updated is advisable against all threats, since they may be incapable of identifying or removing RoyalDNS without the latest database and heuristic rules accurately.

There's no telling whether RoyalDNS will enjoy future usage by K3chang, or if it will descend into retirement, a la BS2005. Admins with responsibilities and careers on the line should assume the worst, and protect their servers with corresponding care.

Loading...