New Malware Hides In Memory

Uploaded on 2017-03-22 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Researchers at Cisco Systems Inc.’s Talos threat research group have published a report on a scary new form of malware that’s difficult to detect.

Dubbed DNSMessenger, the malware uses Microsoft PowerShell scripts to hide itself and connect directly with a server using a victim’s Domain Name Service port. It’s distributed as a Microsoft Word document spread through a phishing campaign, which attempts to appear like a known or reputable source.

Once opened, the file pretends to be a protected document secured by McAfee Security and asks the user to once again click to view the content that was supposedly in the original file. 

Not surprisingly, there’s no content in the file and the second click instead executes the malicious script in the file, eventually leading to the victim’s computer being compromised.

But that’s where the similarities with usual malware ends. Instead of writing the malicious code to the victim’s hard drive, the malware does everything in memory instead, making it difficult to detect. 

A second stage is stored in the Alternate Data Stream with the NTFS (standard Windows) file system or directly inside the registry, while a third-stage PowerShell script establishes communications with a command-and-control server via DNS. A DNS service is usually used to look up the Internet Protocol addresses associated with domain names, but in this case it is used to pass text messages instead.

What isn’t clear is exactly what sort of malicious commands the hackers are using the DNS backdoor to execute. “We were unable to get the C2 (command and control) infrastructure to issue us commands during our testing,” the Talos team said in a recent blog post . “Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.”

While HTTP and HTTPS gateways are regularly monitored by networks, the same can’t be said for DNS, and the hackers are well aware of this.

“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos team added. 

“It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”

Silicon Angle:

Malware Traders Switch To Less Suspicious File Types:

 

 

 

« Is There A Positive Aspect To CIA Spying?
Healthcare Starts Spending Big On Cybersecurity »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

Verimuchme

Verimuchme

Verimuchme is a digital wallet and exchange platform to secure, verify and re-use personal information.

ESG Elektroniksystem- und Logistik-GmbH

ESG Elektroniksystem- und Logistik-GmbH

ESG offer a comprehensive portfolio of cyber and IT services ranging from consulting, solutions and operations to testing, simulation and training.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

IdenTrust

IdenTrust

IdenTrust enables organizations to effectively manage the risks associated with identity authentication.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Cybersecurity Tech Accord

Cybersecurity Tech Accord

The Cybersecurity Tech Accord promotes a safer online world by fostering collaboration among global technology companies.

Excelerate Systems

Excelerate Systems

Excelerate Systems is a leading provider of IT services with a focus on Big Data, Cloud Services and Security.

Tier1Asset (T1A)

Tier1Asset (T1A)

T1A is Europe’s leading IT refurbisher. We offer certified data erasure using blancco on site and at our facilities, providing environmentally sound disposal of your used equipment.

Secure IT Disposals

Secure IT Disposals

Secure IT Disposals specialise in professional Computer Recycling, Computer Disposals, Computer Destruction, Data Erasure and end-of-lifecycle solutions.

Wolf Hill Group

Wolf Hill Group

Wolf Hill Group, a Slone Partners company, is a national recruitment firm focused on Cybersecurity.

AEWIN Technologies

AEWIN Technologies

AEWIN is professional in the fields of Network Appliance, Cyber Security, Server, Edge Computing and an ODM/OEM expert.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

ramsac

ramsac

ramsac provide secure, resilient IT management, cybersecurity, 24 hour support and IT strategy to businesses in London and the South East.

Boo Consulting

Boo Consulting

Boo Consulting is a trusted privacy and risk consultancy firm. We are driven to help you find an appropriate solution that will suit your budget and requirements.