A “completely undetectable” backdoor was revealed thanks to malware (opens in a new tab) reckless behavior of operators.
Cybersecurity researchers at SafeBreach Labs claim to have detected a brand new PowerShell backdoor that, when properly launched, gives attackers remote access to compromised endpoints. From there, the attackers could carry out all sorts of second-stage attacks, from information theft to ransomware (opens in a new tab)and everything in between.
According to the report, an unknown threat handler created an armed Word document called “ApplyForm[.]doc “. It contained a macro that triggered an unknown PowerShell script when activated.
Dropping a ball with scripts
“The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update that will execute the updater.vbs script from a fake update folder in the”% appdata% local Microsoft Windows “folder, the researchers explain. .
Updater.vbs would then run a PowerShell script that would allow the attacker to access remotely.
Before running a scheduled task, the malware generates two PowerShell scripts – Script.ps1 and Temp.ps1. The content is hidden and placed in text boxes in the Word file, which is then saved in a fake update directory. This way, antivirus solutions won’t identify the file as malicious.
Script.ps1 contacts the command and control server to assign a victim ID and receive further instructions. It then runs the Temp.ps1 script that stores information and runs commands.
The attackers made a mistake by issuing victim IDs in a predictable order, which allowed researchers to eavesdrop on conversations with the C2 server.
While who is behind the attack remains a mystery, the malicious Word document was sent from Jordan in late August this year and has so far compromised about a hundred devices, usually belonging to people looking for new employment opportunities.
One reader Register (opens in a new tab) described their experiences with backdoors offering advice to companies wishing to mitigate the damage that unknown backdoors could cause.
“I run MSP and we were informed about it on October 3. The client was a 330-seat charity and I didn’t link it to this particular article until I read it this morning. “
“They have zero confidence [ZT] and Ringfencing, so while the macro was running, it didn’t go beyond Excel, ”they said. “A subtle reminder to apply the TS solution to critical environments as it can stop things like zero.”
By: Register (opens in a new tab)