Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>New Fileless Attack Using DNS Queries to Carry out Powershell Commands

New Fileless Attack Using DNS Queries to Carry out Powershell Commands

Security researchers have discovered a unique attack known as DNSMessenger which uses DNS queries to carry out malicious PowerShell commands on compromised computers. As per the researchers, this is a difficult method to detect whether a remote access Trojan is being dropped onto targeted systems. Experts at Cisco security research indicated that the infection chain begins with a rigged Word document sent to recipients who are encouraged to enable so that they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
IT Security News
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis