SoylentNews

Fnord666 [soylentnews.org] writes:

Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered:it called out Cisco's SourceFire security appliances in particular with the encoded text, "SourceFireSux."

[...] The irony of this particular attack calling out SourceFire is that Cisco has just relaunched Umbrella—a service it acquired with OpenDNS—a product that is intended to shield from DNS exploits precisely like this.

Source:

https://arstechnica.com/security/2017/03/researchers-uncover-powershell-trojan-that-uses-dns-queries-to-get-its-orders/ [arstechnica.com]

Original Submission