This publish was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.
Cisco Talos beforehand posted study into a targeted attack that leveraged an attention-grabbing infection course of action employing DNS TXT documents to generate a bidirectional command and management (C2) channel. Working with this channel, the attackers were being able to directly interact with the Home windows Command Processor employing the contents of DNS TXT record queries and the involved responses generated on the attacker-managed DNS server.
We have since noticed additional attacks leveraging this form of malware attempting to infect numerous concentrate on corporations. These attacks commenced with a targeted spear phishing e-mail to initiate the malware infections and also leveraged compromised U.S. point out governing administration servers to host malicious code employed in later on levels of the malware infection chain. The spear phishing email messages were being spoofed to make them appear as if they were being despatched by the Securities and Exchange Fee (SEC) in an try to include a degree of legitimacy and encourage users to open them. The corporations targeted in this most current malware campaign were being comparable to people targeted in the course of previous DNSMessenger campaigns. These attacks were being highly targeted in character, the use of obfuscation as perfectly as the existence of a elaborate multi-phase infection course of action indicates that this is a subtle and highly determined risk actor that is continuing to function.
Go through A lot more >>