Security researchers have discovered a unique attack known as DNSMessenger which uses DNS queries to carry out malicious PowerShell commands on compromised computers. As per the researchers, this is a difficult method to detect whether a remote access Trojan is being dropped onto targeted systems. Experts at Cisco security research indicated that the infection chain begins with a rigged Word document sent to recipients who are encouraged to enable so that they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
IT Security News
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street