PowerShell Trojan that uses DNS queries to get its orders

Post Reply
User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

PowerShell Trojan that uses DNS queries to get its orders

Post by Pigeon » Fri Mar 03, 2017 12:01 am

Overview

Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

Delivered as an e-mail attachment, the malicious Word document was crafted "to appear as if it were associated with a secure e-mail service that is secured by McAfee

Once opened, the document launches a Visual Basic for Applications macro to launch PowerShell commands to install the backdoor onto the system

The VBA script unpacks a compressed and obfuscated second stage of PowerShell, which determines whether the user who let loose the malware has administrative access and what version of PowerShell is installed on the system.

The backdoor periodically makes DNS requests to one of a series of domains hard-coded into the script. As part of those requests, it retrieves TXT records from the domain, which contain further PowerShell commands—commands that are executed but never written to the local system. This "fourth stage" script is the actual remote control tool used by the attacker. "Stage 4 is responsible for querying the C2 servers via DNS TXT message requests to ask what commands to execute,"

Details at link


Post Reply