Researchers have discovered a new version of the DNS Messenger attack which masquerades as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers.
On Wednesday, security researches from Cisco Talos revealed the results of an investigation into DNS Messenger, a fileless attack which uses DNS queries to push malicious PowerShell commands on compromised computers.
A new version of this attack, which the team say is “highly targeted in nature,” now attempts to compromise victim systems by pretending to be the SEC Electronic Data Gathering Analysis, and Retrieval (EDGAR) system — recently at the heart of a data breach related to financial fraud — in specially crafted phishing email campaigns.
These spoofed emails made them seem legitimate, but should a victim open them and download a malicious attachment contained within, a “multi-stage infection process” begins.
The malicious attachments used in this campaign are Microsoft Word documents. However, rather than using macros or OLE objects to gain a foothold into a system, the threat actors used a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT).
To read the original article: