Stealthy Windows PowerShell backdoor discovered by researchers

Stealthy Windows powershell backdoor discovered by researchers

Image:

Stealthy Windows powershell backdoor discovered by researchers

'Fully undetectable' backdoor cannot be discovered by any security tool on VirusTotal and seems to have been developed by a skilled actor

Researchers at SafeBreach Labs claim to have uncovered a new 'fully undetectable' (FUD) PowerShell backdoor that masquerades as a component of the Windows update process to remain completely hidden from anti-malware software.

Fully undetectable backdoors are ones that are impossible to detect using any security software.

Tomer Bar, director of security research at SafeBreach, wrote in a blog post that this new malware was able to evade detection by all security scanners hosted on VirusTotal.com.

Bar said that the backdoor and its associated command-and-control (C2) backend seem to have been created by a skilled but unknown actor.

The attack campaign begins with a malicious Word document that contains a macro code that runs a PowerShell script. The malicious Word document, which was uploaded from Jordan on 25th August 2022, is named 'Apply Form.docm'.

The file's metadata suggests that this campaign was associated with an alleged spearphishing lure based on a LinkedIn job application.

The infection process starts as soon as the recipient allows the macro in the Word document to execute.

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows'," explained Bar.

The updater.vbs script then executes a PowerShell script that opens a remote-control backdoor on the box.

According to Bar, the malware generates two PowerShell scripts, Script.ps1 and Temp.ps1, before starting the scheduled task.

Their content is masked, kept in text boxes within the Word document, and saved to the fake update directory. As a result, VirusTotal fails to detect the scripts presence.

Script.ps1 makes a connection to the C2 server to get an ID number for the victim and to retrieve commands to carry out.

It then executes the Temp.ps1 script, which, depending on the parameters that were supplied to it by the first script, will either store data or run PowerShell commands.

Bar said the threat actor committed a critical operational security mistake by using predictable victims' IDs.

Because of this, the security researchers were able to create a script that presented the identifier of each victim to the backend system, enabling the researchers to record the interactions with the C2 server via packet capture.

SafeBreach Labs was able to reconstruct the working of the malware and the activities that it carried out with the assistance of another tool, which also enabled them to extract the encrypted commands from the acquired packages.