Researchers uncover PowerShell Trojan that uses DNS queries to get its orders

/researchers-uncover-powershell-trojan-t

  • DNSmessenger Malware uses DNS TXT records and PowerShell to create a backdoor for Command & Control communication

    DNS was already being used for data exfiltration, but now also as a way for malware to talk to C2 servers to obtain PowerScript instructions.

    This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker, in a way that evades many security mechanisms and go undetected.

    The infection is spread through a Word document pretending to be protected by McAfee, and asking you to Enable Content (allow macros) to be viewed.

    Technical details are found here:

    http://blog.talosintelligence.com/2017/03/dnsmessenger.html

    #Talos
    #DNS
    #malware
    #PowerScript

    • Researchers uncover PowerShell Trojan that uses DNS queries to get its orders

      https://arstechnica.com/security/2017/03/researchers-uncover-powershell-trojan-that-uses-dns-queries-to-get-its-

      The backdoor periodically makes DNS requests to one of a series of domains hard-coded into the script. As part of those requests, it retrieves TXT records from the domain, which contain further PowerShell commands—commands that are executed but never written to the local system. This “fourth stage” script is the actual remote control tool used by the attacker. “Stage 4 is responsible for querying the C2 servers via DNS TXT message requests to ask what commands to execute,” Edmund Brumaghin told Ars via e-mail. “If a command is received, it is then executed and the output or results of the command are communicated back to the C2 server. This basically gives the attacker the ability to execute any Windows or application commands available on the infected host.”