Researchers at Cisco Talos have recently identified a new Powershell remote access Trojan. The memory-resident malware is almost impossible to detect because it doesn’t write files to the computer’s hard drive and uses a new way of communicating with its C2.
The infection is spread via a malicious Microsoft Word document sent as an email attachment. Cisco Talos has warned that only 6 out of 54 AV engines recognize the malware.
Should the document be opened, the user will receive a message indicating that the contents of the document are protected. In order to view the document, the user must change settings in order to ‘enable content.’ The McAfee Secure logo appears in the document, which gives it the appearance of being legitimate. The logo lends the document the air of being official, therefore increasing the probability of macros being enabled by users.
A VBA function will be called if content is enabled. The function contains the malicious code that runs the Powershell commands. No files are written into the file system at any point during the process, with the malware running completely in the memory.
The Powershell remote access Trojan can receive commands from the attacker’s C2 then and send replies which detail the results of the commands that have already been run. Although such communications can usually be detected by antimalware solutions, in the present example the communications are much more difficult to identify because they occur via the DNS.
The Domain Name System (DNS) is utilised to look for the IP addresses of domains that are typed into web browsers. In addition, DNS permits the sending of text queries and the receiving of responses. The malware and the attackers use the DNS TXT queries and responses to communicate. DNS TXT records are further used during the email authentication process by using functions like SPF, DMARC, and DKIM.
Numerous organizations supervise the content of both emails and web traffic, however the content of DNS requests is not monitored. Various antivirus and antimalware solutions scan just the file system and not the memory. As a consequence, Powershell remote access Trojan infection is very difficult to detect.
In order to recognise identify infection with this Powershell remote access Trojan, an organization or business would have to monitor DNS content. Given that the DNS TXT records will differ from normal DNS TXT records, it is possible to identify the communications.
The simplest way of avoiding infection is to disable macros. In circumstances where it is not possible to disable macros, settings should be altered so that they do not run automatically when a document is opened. Users should be advised not to enable macros except if they are absolutely sure of the source of the file.