SEC spoofed, malware hosted on US gov’t server in new DNS attack

Haythem Elmir

Researchers have discovered a new version of the DNS Messenger attack which masquerades as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers.

On Wednesday, security researches from Cisco Talos revealed the results of an investigation into DNS Messenger, a fileless attack which uses DNS queries to push malicious PowerShell commands on compromised computers.

A new version of this attack, which the team say is « highly targeted in nature, » now attempts to compromise victim systems by pretending to be the SEC Electronic Data Gathering Analysis, and Retrieval (EDGAR) system — recently at the heart of a data breach related to financial fraud — in specially crafted phishing email campaigns.

These spoofed emails made them seem legitimate, but should a victim open them and download a malicious attachment contained within, a « multi-stage infection process » begins.

The malicious attachments used in this campaign are Microsoft Word documents. However, rather than using macros or OLE objects to gain a foothold into a system, the threat actors used a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT).

To read the original article:

Laisser un commentaire

Next Post

Unpatched SQLi vulnerability in SmartVista e-commerce suite

Companies using SmartVista, the popular e-commerce/payment management product suite developed by Swiss company BPC Banking Technologies, are urged to put limit access to its management interface. That’s because Rapid7 researcher Aaron Herndon found a SQL injection vulnerability in it, and BPC has shown no indication that it’s going to fix […]