A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.

According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.

“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.

The initial PowerShell instructions that are executed are contained within the Word document itself.

Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.