Security Icon Microsoft

We have heard a lot about malware attacks taking on a different form recently. Attackers are increasingly opting for stealthy tactics instead of more traditional malware. Targeted attacks are becoming sneaky, using breaches of system tools and protocols to infect a system undetected. A new hidden attack formed in Microsoft Word has now been found.

One such ‘fileless’ attack has been discovered and analysed by the researchers from the Cisco Systems Talos team. Called DNSMessenger, the attack targets Microsoft’s Word via a malicous document that is sent through an email phishing campaign.

Of course, email phishing is hardly a new concept. Attackers simply send out thousands of emails with infected attachments. The attacker is literally fishing for someone to take bait, usually a vulnerable user who would open an anonymous email.

DNSMessenger is cleverer because the malicous attachment is stealthier. It pretends to be a “protected document” that has been secured by reputed security firm McAfee. However, it is not really secured by the Intel Security-owned company. Many users may be duped by the masquerade and click the ‘enable content’ button that is provided.

Stages of Infection

Doing so executes the malicous content. Like other fileless attacks we have seen, the content embeds itself in a system is written in the PowerShell language that is built into Windows. It allows the system to run automated administration tasks.

“The code that is passed to PowerShell via the command line is mostly Base64 encoded and compressed using gzip, with a small portion at the end that is not encoded which is then used to unpack the code and pass it to the Invoke-Expression PowerShell cmdlet (IEX) for execution. This allows the code to be executed without ever requiring it to be written to the filesystem of the infected system. Overall, this is pretty typical for malicious Word documents that we see being distributed in the wild.”

The second stage of the infection is described by Cisco Systems Talos in its blog post:

“The execution of the PowerShell that is passed to IEX by the Stage 1 Word document is where we begin to observe several interesting activities occurring on an infected system. A function at the end of the PowerShell script described in Stage 1 defines the actions for Stage 2 as well as characteristics related to Stage 3.”

A possible third stage involves another PowerShell script that stores in an Alternate Data Stream in the NTFS file system.