According to Talos, Cisco’s independent threat research group, a new malware known as DNSMessenger has now stored itself in computers throughout the world. The strand of malware uses Microsoft PowerShell scripts to conceal and encrypt itself into the computer’s memory and link directly to the computer’s command & control server using its Domain Name Service port.
DNS Messenger
Like most malware cases, this malicious code is transmitted through phishing campaigns with coded attachments. Once the document is opened or downloaded, the user will see a document supposedly secured by McAfee Security. The victim will then receive instructions to click again on the document in order to see its original content. With this click, the user releases the document’s malicious code, which then stores itself in the computer’s memory.
Once the code is embedded, DNSMessenger targets the computer’s Alternate Data Stream through the NTFS file system. The Microsoft PowerShell then reaches a command-and-control server that allows the hacker to pass messages through the system.
“This malware sample is a great example of the length hackers are willing to go to stay undetected while operating within the environments that they are targeting,” reported the Talos team. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”
Don’t become a victim of these hack attacks. Sign up for our security awareness training for your entire staff to prevent your employees from becoming victims of these kinds of scams.
