[German]Security researchers has discovered a new file less malware that comes as a PowerShell script and uses DNS queries to receive its orders.
The malware was discovered from researcher of Cisco`s Talos project and has been documented here. The infection starts with a phishing campain, where an e-mail has been send to many users. The e-mail contains a Word attachment, claiming to be protected by Mc Afee.
(Source: Cisco/Talos)
If the user clicks the link, a PowerShell script will be executed and loads the Trojan into memory. Then it checks the scripts environment (if the user has admin rights) and loads a 2nd PowerShell script. This script will be stored within Alternate Data Stream (ADS) of the NTFS file system or within the registry.
A third PowerShell script establishes a communication channel using DNS records to send data and receiving commands from a C&C server. Further details may be found within this blog post. (via)