Pigeon Feed
View unanswered posts | View active topics It is currently Thu Jan 18, 2018 2:33 am



Reply to topic  [ 1 post ] 
 PowerShell Trojan that uses DNS queries to get its orders 
Author Message
User avatar

Joined: Thu Mar 31, 2011 4:00 pm
Posts: 10071
Post PowerShell Trojan that uses DNS queries to get its orders
Overview

Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

Delivered as an e-mail attachment, the malicious Word document was crafted "to appear as if it were associated with a secure e-mail service that is secured by McAfee

Once opened, the document launches a Visual Basic for Applications macro to launch PowerShell commands to install the backdoor onto the system

The VBA script unpacks a compressed and obfuscated second stage of PowerShell, which determines whether the user who let loose the malware has administrative access and what version of PowerShell is installed on the system.

The backdoor periodically makes DNS requests to one of a series of domains hard-coded into the script. As part of those requests, it retrieves TXT records from the domain, which contain further PowerShell commands—commands that are executed but never written to the local system. This "fourth stage" script is the actual remote control tool used by the attacker. "Stage 4 is responsible for querying the C2 servers via DNS TXT message requests to ask what commands to execute,"

Details at link


Fri Mar 03, 2017 1:01 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.