Finding and Decoding Multi-Step Obfuscated Malware


Recently, in the process of a threat investigation, Trend Micro researchers found an interesting event.

A process (nslookup.exe) that tried to connect to a malicious URL that was already blocked by trend Micro solutions. We could have stopped at this point, but searching for the root cause is part of managed detection and response (MDR) — we needed to learn why this event happened in the first place and prevent it from happening in the future.

The process in question is nslookup.exe, a network administration command-line tool used for querying the DNS. Therefore, this process performing a URL request is not unusual — at first glance. Neither is this action, by itself, malicious. However, why would anyone (aside from security researchers) query a malicious URL via nslookup in the first place?

Read more…
Source: Trend Micro