Researchers uncover PowerShell Trojan that uses DNS queries to get its orders

Researchers at Cisco’s Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.


The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered: it called out Cisco’s SourceFire security appliances in particular with the encoded text, “SourceFireSux.”

Welp, someone doesn’t like SourceFire
— simpo (@Simpo13) February 24, 2017

Delivered as an e-mail attachment, the malicious Word document was crafted “to appear as if it were associated with a secure e-mail service that is secured by McAfee,” wrote Talos researchers Edmund Brumaghin and Colin Grady in a blog post to be published later today.


Read 5 remaining paragraphs | Comments

View article…