Try a no-risk free trial today!
Cisco has a separate threat research group called Talos. They just published a report on a scary new form of malware that’s hard to detect.
They called it DNSMessenger, and the malicous code uses Microsoft PowerShell scripts to hide itself in memory and connect directly with a command & control server using the compromised machine’s Domain Name Service port.
It’s distributed through a phishing campaign with a Microsoft Word document attached, trying to look like a known or reputable source.
Once the user opens the file, it pretends to be a protected document secured by McAfee Security and asks the user to once again click to view the content that was supposedly in the original file. As you guessed, the file has no content and the second click instead executes the malicious script hidden in the file, leading to the workstation being compromised.
Here is the new angle that makes it hard to detect. The malicious code does everything in memory, and the second stage is stored in the Alternate Data Stream with the NTFS (standard Windows) file system or directly inside the registry, while a third-stage PowerShell script establishes communications with a command-and-control server via DNS that is used to pass text messages. Normally, HTTP and HTTPS gateways are monitored by security software, but that’s not always the case for DNS, and the hackers know it.
Talos could not yet immediately see what commands are going back and forth: “We were unable to get the C2 (command and control) infrastructure to issue us commands during our testing,” the Talos team said in a blog post Thursday. “Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.”
“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos team added. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”
Which user will infect your network malware? We’ve got something really cool for you: the new Phishing Security Test v2.0!
It’s got several great new features, and sending simulated phishing emails to train your employees is a fun and an effective best practice to patch your last line of defense… your users.
The phish-prone percentage is usually higher than you expect and is great ammo to get budget. You can now find out the current Phish-prone percentage of your organization and who might infect your network with ransomware.
Shoot us a message to start a discussion about how our team can help you today.
Stay up-to-date on the latest news in the cyberverse.
