Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>New Fileless Attack Using DNS Queries to Carry out Powershell Commands

New Fileless Attack Using DNS Queries to Carry out Powershell Commands


Security researchers have discovered a unique attack known as DNSMessenger which uses DNS queries to carry out malicious PowerShell commands on compromised computers. As per the researchers, this is a difficult method to detect whether a remote access Trojan is being dropped onto targeted systems. Experts at Cisco security research indicated that the infection chain begins with a rigged Word document sent to recipients who are encouraged to enable so that they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
Source:
Threatpost
 
IT Security News
 
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis