Blog :: Security Operations

Remote Access Trojan Uses DNS to Execute Powershell Commands


Eek! A rat! No, I don’t mean the cute, little rodent with the long tail; I mean the Remote Access Trojan. Trust me, I would much rather have the rodent near my computer than this Trojan. What does a RAT do, though? Exactly what the name suggests—it uses remote access to send data from the infected PC to a phone home location.

How Do RATs End Up On Computers?

Trojans end up on a PC after the end user receives an email asking Not that kind of rat; the Remote Access Trojanthem to open an “important” document or file. Once the user opens the document or file, their PC becomes infected. Like most pieces of malware, the Trojan can lay dormant on the PC for days, weeks, or even months before actually using DNS queries to send data. This new RAT, however, does not require the user to download a file. The email message asks the user to “enable content” so they can view the entire message. When enabled, the document in the email will launch a Visual Basic macro that will open PowerShell and begin using DNS queries. This Trojan is unique since it is not limited to using written documents to infect the user. You can read more about this specific attack at

What Can I Do About These Infections?

As this picture suggests, you could have a tiny Spartan army atTrojan horse defending against malware attacks your desk waiting to defend your computer from attack. Since this is not Night at the Museum, however, that is impossible. The first rule of thumb is never open an email from an address you do not recognize. Second, if it does look like an email you recognize, but you aren’t sure, read the email carefully. Does it suggest that you enable anything, download a file, or click a link? If it does and you were not expecting it, don’t follow its instructions.

For example, I got an email the other day from someone who wanted to connect with me on Skype. It came from a Skype email, but I didn’t have any pending contact requests on my Skype application. After reading the email a couple times, I noticed it wanted me to click a link to see who wanted to connect. That was a clear sign that I had a virus attached to that email.

If a RAT—or any sort of Trojan that uses DNS—slips in to your network, you can use a network traffic analyzer, such as Scrutinizer, to help track down DNS data leaks. You can learn more about that in this blog that my colleague Ryan wrote.

Network security is necessary in the workplace; however, there are new attacks and malware popping up every day. Download the free trial of our network traffic analyzer to check for compromised PC’s on your network.