DNSMessenger malware



  • New Fileless Malware Uses DNS Queries To Receive PowerShell Commands

    https://thehackernews.com/2017/03/powershell-dns-malware.html



  • They call it fileless, but it takes getting an infected Word document to execute on the machine first, right? So how is this fileless?



  • It is listed as a Trojan, specifically a Remote Access Trojan or RAT. So definitely a file. But the commands that make it scary are in DNS, not in the Trojan file. I think that that is why they use that term. But it is pretty confusing and misleading.



  • From my understanding of the article, the bug doesn't actually drop any files on your system. Yes, you do have to open the infected attachment, but the bug it self doesn't leave any files behind.



  • So there's really no root fly here you have to use another known fly to breed security first and then you can use this DNS hack to give yourself a rat



  • I thought "fileless" meant that once the code executes, it runs inside of an existing process for example, rather than from a file like a normal process.

    I was in a powershell empire webex where this was demonstrated.

    Cool stuff imho.



  • Also, using an infected word doc was just one of many methods to get through. It was the easiest for demonstration purposes anyways.



  • That's all fine and dandy my point was that this hack is currently worthless on its own it requires a previous hack in order to make this one work


  • Service Provider

    @Dashrender said in DNSMessenger malware:

    That's all fine and dandy my point was that this hack is currently worthless on its own it requires a previous hack in order to make this one work

    The point is not how the infection was started. The point is that the infection itself is completely fileless. Never writing data to the disk.

    There are multitudes of ways into a Windows system that an attacker could use to execute the initial code.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.