SOC Experts Community - Beta
0 like 0 dislike
in General Questions by (2.2k points)

1 Answer

0 like 0 dislike
by (1.8k points)

Cisco Systems’ Talos security team issued a report on a newly discovered attack called DNSMessenger. 

The attack makes a skillful use of Windows PowerShell, DNS TXT and Microsoft Word macros to silently infect a victim’s computer without creating files. Known as “fileless malware,” this technique makes the infection nearly invisible to today’s standard anti-intrusion and anti-malware scanners.

How DNS Messenger works?

  • DNSMessenger begins scanning its immediate environment. Specifically, it looks for the privileges granted to the current user and which version of PowerShell is installed on the endpoint.
  •  Using this information, it takes the necessary course of action to quietly establish persistence. 
  • Once persistence is achieved, it establishes two-way communications with the command and control server. 
  • The command and control server will then send instructions through DNS TXT to the infected endpoint. 
  • That infected endpoint will then use those instructions to both relay information and look for new orders at a predetermined domain address.

SOC Experts - No. 1 Job Oriented Cybersecurity Training Program

View our Courses