SafeBreach Labs researchers recently uncovered a new fully undetectable (FUD) PowerShell backdoor that uses a novel approach to disguise itself as part of the Windows update process.
“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” SafeBreach director of security research Tomer Bar wrote in a blog post today detailing the findings.
Twitter user @StopMalvertisin, Bar noted, also discovered the attack and posted a brief summary.
Also read: PowerShell Is Source of More Than a Third of Critical Security Threats
Phishing on LinkedIn
The attack is launched via a malicious Word document named “Apply Form.docm,” created in Jordan on August 25, 2022 (image above). The file’s metadata includes the phrases “Linkedin based job application” and “Employment / Job Application,” indicating it’s likely part of a LinkedIn-based spear-phishing attack.
The document contains a macro code that drops updater.vbs and creates a scheduled task, disguised as part of a Windows update, to execute the updater.vbs script from a fake update folder.
Before executing the scheduled task, updater.vbs creates two PowerShell scripts, Script.ps1 and Temp.ps1, both obfuscated and fully undetectable. The content of both scripts is stored in text boxes in the Word document.
The first of the two scripts connects to a command and control server to receive commands to be executed along with the victim’s unique ID. “When we first tested it, we got ID number 70, which means there were probably 69 victims prior to our test,” Bar wrote.
Also read: A Few Clicks from Data Disaster: The State of Enterprise Security
A Critical Mistake
That use of a predictable victim ID, Bar noted, was a critical mistake on the threat actor’s part, making it easy for the researchers to study the attack.
“We developed a script that pretended to be each victim and recorded the C2 responses (commands) in a pcap file, then ran a second tool we developed to extract the encrypted commands from the pcap,” he wrote.
After running the command for each victim in sequence, the researchers found the following percentage of commands used for victims thus far:
- 66%: Exfiltrate process list command
- 23%: Empty command – Idle
- 7%: Local users enumerations – whoami and whoami /all + process list
- 2%: Remove files from public folder + net accounts + computer name, IP configurations
- 1%: List files in special folders – program files, downloads, desktop, documents, appdata
- 1%: Entire script for A.D users enumerations and RDP clients enumerations
Bar’s blog post includes appendices detailing the associated Indicators of Compromise (IOCs) and PowerShell scripts.
Undetectable Threat Bypasses Scanners
“Our research team believes this threat is significant based on the fact that it is fully undetectable and was shown to bypass all the security vendors’ scanners under VirusTotal.com,” Bar said by email. “We strongly recommend that all security teams use the indicators of compromise (IOCs) we identified to better detect and protect themselves against this threat.”
“We also suggest that the security mistakes we discovered by this threat actor be used by blue teams in their future digital forensics and incident response (DFIR) investigations,” he added.
Read next: Best Digital Forensics Tools & Software