Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.
The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered: it called out Cisco's SourceFire security appliances in particular with the encoded text, "SourceFireSux."
Welp, someone doesn't like SourceFire pic.twitter.com/NzuGXZ0WgC
— simpo (@Simpo13) February 24, 2017
Delivered as an e-mail attachment, the malicious Word document was crafted "to appear as if it were associated with a secure e-mail service that is secured by McAfee," wrote Talos researchers Edmund Brumaghin and Colin Grady in a blog post to be published later today.