A novel fully undetectable (FUD) PowerShell backdoor has been discovered that disguises itself as part of the Windows update process. The new backdoor appears to be the work of a sophisticated, unknown threat actor who has targeted about 100 victims, according to cybersecurity firm SafeBreach.
The attack is carried out via a malicious Word document with macro that launches a PowerShell script. The metadata of the file suggests that the this campaign is likely part of a spear-phishing attack targeting LinkedIn users.
The macro drops a VBS script (updater.vbs), which creates a scheduled task pretending to be part of a Windows update and executes from a fake update folder.
Before executing the scheduled task, updater.vbs creates two PowerShell scripts (Script.ps1 and Temp.ps1) both obfuscated and fully undetectable. The content of both scripts is stored in text boxes in the Word document.
Script.ps1 connects to a command and control server to receive commands to be executed along with the victim’s unique ID.
“Here, the threat actor made a crucial operations security mistake by using predictable victims’ IDs. We developed a script that pretended to be each victim and recorded the C2 responses (commands) in a pcap file, then ran a second tool we developed to extract the encrypted commands from the pcap,” the researchers noted.
The experts ran the command for each victim and were able to determine what the malware was doing.
Additional details, as well as Indicators of Compromise related to the new threat, are available in SafeBreach’s technical write-up.