Researchers uncover PowerShell Trojan that uses DNS queries to get its orders

Enlarge (credit: Abraxas3d)

Researchers at Cisco’s Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered: it called out Cisco’s SourceFire security appliances in particular with the encoded text, "SourceFireSux."

Delivered as an e-mail attachment, the malicious Word document was crafted "to appear as if it were associated with a secure e-mail service that is secured by McAfee," wrote Talos researchers Edmund Brumaghin and Colin Grady in a blog post to be published later today.

Read 5 remaining paragraphs | Comments

Source: Risk Assessment – Ars Technica @ March 2, 2017 at 10:00AM