A “fully undetectable” backdoor has been brought to light thanks to the malware (opens in new tab) operators’ reckless behavior.
Cybersecurity researchers from SafeBreach Labs claim to have detected a brand new PowerShell backdoor which, when executed properly, gives attackers remote access to compromised endpoints. From there, the attackers could launch all kinds of stage-two attacks, from infostealers, to ransomware (opens in new tab), and everything in-between.
According to the report, an unknown threat actor created a weaponized Word document, called “ApplyForm[.]docm”. It carried a macro which, if activated, launched an unknown PowerShell script.
Dropping the ball with scripts
“The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under ‘%appdata%\local\Microsoft\Windows,” the researchers explained.
Updater.vbs would then run a PowerShell script that would give the attacker remote access.
Before running the scheduled task, the malware generates two PowerShell scripts – Script.ps1 and Temp.ps1. The contents are hidden and placed in text boxes inside the Word file, which is then saved in the fake update directory. That way, antivirus solutions fail to identify the file as malicious.
Script.ps1 reaches out to the command & control server to assign a victim ID, and to receive further instructions. Then, it runs the Temp.ps1 script, which stores information, and runs the commands.
The mistake the attackers made was issuing victim IDs in a predictable sequence, allowing researchers to listen in on the conversations with the C2 server.
While who’s behind the attack remains a mystery, the malicious Word document was uploaded from Jordan in late August this year, and has compromised approximately one hundred devices so far, usually belonging to people looking for new employment opportunities.
One reader of The Register (opens in new tab) described their experience with the backdoor, offering advice to enterprises looking to mitigate the damage that unknown backdoors can cause.
“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning.”
“They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn’t make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this.”
Via: The Register (opens in new tab)