Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Uncover Sophisticated, Fileless Attack

Researchers Discover New Non-Malware Obfuscated Targeted Attack

Researchers Discover New Non-Malware Obfuscated Targeted Attack

A simple tweet ultimately unraveled a complex, fileless attack. The tweet highlighted encoded text in a PowerShell script that said ‘SourceFireSux’. This ultimately led researchers to discover and analyze an attack comprising a malicious Word document and a PowerShell RAT communicating with its C&C servers via unblocked DNS requests. The attack is completely fileless — non-malware designed to be invisible to standard anti-malware defenses.

SourceFire was acquired by Cisco in 2013 for $2.7 billion. The ‘SourceFireSux’ reference sparked the interest of researchers at Talos, Cisco’s threat intelligence arm, who unsurprisingly wanted to know more. Talos was formed from SourceFire’s vulnerability research team together with Cisco’s own researchers.

A Talos search for the encoded string uncovered a single sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis. 

A search for the decoded string located a single Pastebin entry uploaded by @JohnLaTwC (Twitter’s @JohnLaTwC is John Lambert, general manager, Microsoft Threat Intelligence Center) on Feb. 16, eight days before the tweet. The associated hash led to a malicious Word document that matched the details found in Hybrid Analysis.

Now knowing what they were looking for, Talos was able to locate additional samples and reconstruct and analyze the attack. They found a complex example of the growing tendency for attackers to manipulate existing and trusted Windows facilities rather than install malware that can be detected.

The attack is delivered by a phishing email as a weaponized Word document. The recipient is persuaded to open the document by the assertion, “This document has been secured by McAfee. To view this Protected Document, click Enable Content.” Doing so enables a VBA macro which opens PowerShell and loads and unpacks the malicious code without requiring any file to be written to disk.

The script checks for admin status and PowerShell version. Depending on whether it has Administrator or User access, it sets registry entries (HKLM for Admin or HKCU for User) to achieve persistence. If PowerShell is 3.0 or later, the payload is written to an Alternate Data Stream. If it is an earlier version, the payload is encoded and written to the location defined in the registry entries.

Advertisement. Scroll to continue reading.

The script also contains arrays of domains from which it periodically selects a C2 domain to query. Querying these obtains TXT records containing further PowerShell commands.

PowerShell has effectively become a backdoor that is never written to disk, and the actual process is complex.

“It takes the code received in the DNS query response and defines a string variable which contains the code,” explained Talos researchers Edmund Brumaghin and Colin Grady. “It then calls the decode function from the third stage and passes the decoded string into IEX to further extend the Powershell environment. Once this is complete, it then calls a function in the newly extended environment to execute the fourth stage code along with specific parameters. These parameters include the fourth stage C2 domain to use as well as the program to execute which in this case is the Windows Command Line Processor (cmd.exe). This is interesting because it results in the fourth stage payload never actually being written to the filesystem of the infected system.”

This is clearly an attack designed to compromise a specific target. Everything discovered by Talos indicates that the discovered samples are recent.

“The domains associated with the Powershell sample that we analyzed from Hybrid Analysis were initially registered on 2017-02-18,” note the researchers. “According to data available within Umbrella [a product acquired by Cisco when it purchased OpenDNS], the majority of DNS activity related to the domains used by the powershell sample appears to have occurred between 2017-02-22 and 2017-02-25. There was less activity associated with the other identified sample, with most occurring on 2017-02-11.”

Talos was unable to get the C2 infrastructure to issue any commands. The implication is that it is a targeted attack using different C2 domains for individual targets. It would be simple to adjust the lure in the initial phishing email and the hard coded C2 domains for each individual target — so this could be a brand new attack or an attack only just discovered.

It is, say the researchers, “a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.