Newly Discovered PowerShell DNS Trojan Attacks Through a Super-Common Program

Recently, the Cisco Talos security threat research team turned up a significant new threat launched via Microsoft Word. The attack infects systems with malware by quietly using the domain name server (DNS) to make contact with Windows PowerShell command instructions from the attacker.

The attack is initiated by the delivery of a malicious Microsoft Word document. The document looks like it’s from a McAfee-branded secure email service. But upon opening, the document launches a Visual Basic for Applications macro, which then launches PowerShell commands. The system then calls out to a collection of domain records that have been specially constructed by the hacker to help execute on privileged system control.

As the attack unfolds, it is determined whether the user has privileged access using a second stage of PowerShell commands. The PowerShell commands then enter a third act where the Windows System Registry is modified to allow backdoor access. If the user does have privileged access, the Windows Management Instrumentation (WMI) database is modified, so that the backdoor is maintained throughout reboots.

DNS-Based PowerShell

At this point, the infected system queries select DNS records that are built into the script. These requests pull in TXT records from the loaded DNS query, which contain further PowerShell commands. Because the attacker controls the remotely queried DNS records, they can implement any command they desire and execute it locally with full administrative privileges.

There are a number of weaknesses here to point out. First off, domain name servers are a critical and fundamental component to any network environment. On a typical network, they’re rarely monitored, policed or blocked. Commands that transmit through DNS traffic can be fractional and difficult to detect as there are many billions of records across many different types of DNS requests. Secondly, there is a serious gateway flaw that allows document programs to launch external programs, especially those that can modify the system environment.

Major Concerns

While the exploit only affects PCs that run Microsoft Word, and not mobile systems, the overwhelming majority of environments use just those two things. No other productivity application and platform combination comes close. Further, as a matter of convenience, companies in many environments allow users the administrative rights to fully control their own systems. This sort of infection has a wide potential base of attack, and it’s proving to be very difficult to detect in most environments.

Correction

Once a system is infected, corrective actions on the system will likely be difficult. The breadth of commands and modifications that can be launched in the final stage can prove to be quite complex and possibly irreversible. In cases where the infection has not gotten to the final stages due to a lack of user privileges, the cleanup may be more feasible. This is because the PowerShell commands at these stages are not persistent and are based on sessions, which can be terminated.

Prevention

There’s a mantra in security that identifies the core components of people, processes and technology. Preventing these sorts of attacks counts on all three points.

  • Don’t open a Word doc from a sender you don’t trust or recognize.
  • If you do open an infected Microsoft Word doc, don’t click on prompts to enable content (in general, this is a best practice for helping keep viruses out).
  • Make sure your antivirus/antimalware solution is up to date and perform a system scan.
  • Organizationally, review your administrative user policies.

Threat Graph.png

Further, Cisco’s Talos Intelligence group suggests the following options to prevent an attack.

  • Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
  • Cloud Web Security (CWS) or Web Security Appliance (WSA) scanning prevents access to malicious websites and detects malware used in these
    attacks.
  • Email Security can block malicious emails sent by threat actors as part of their campaign.
  • The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
  • The AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
  • Umbrella prevents DNS resolution of the domains associated with malicious activity.

As Hostway customers, thousands of companies have benefitted from security and compliance capabilities that cannot be matched in the cloud and hosting industry. Hostway provides leading security solutions, executes corporate-grade continuity strategies and monitors the ever-changing threat landscape for developments that may compromise client environments.

Call (+1.866.680.7556) or chat with Hostway today for a free vulnerability scan.