Cisco Systems’ Talos security team issued a report on a newly discovered attack called DNSMessenger.
The attack makes a skillful use of Windows PowerShell, DNS TXT and Microsoft Word macros to silently infect a victim’s computer without creating files. Known as “fileless malware,” this technique makes the infection nearly invisible to today’s standard anti-intrusion and anti-malware scanners.
How DNS Messenger works?
- DNSMessenger begins scanning its immediate environment. Specifically, it looks for the privileges granted to the current user and which version of PowerShell is installed on the endpoint.
- Using this information, it takes the necessary course of action to quietly establish persistence.
- Once persistence is achieved, it establishes two-way communications with the command and control server.
- The command and control server will then send instructions through DNS TXT to the infected endpoint.
- That infected endpoint will then use those instructions to both relay information and look for new orders at a predetermined domain address.