SafeBreach Labs discovered a new fully undetectable (FUD) PowerShell backdoor malware for securing remote access to Windows systems through masquerading.
What happened?
The company's advisory explains that the somewhat stealthy subversive software’s associated C2 backend appears to have been developed by an unknown miscreant.
The researchers capitalized as the attacker messed up by issuing victim identifiers in a predictable sequence that allowed SafeBreach researchers to identify the PowerShell phishing campaign.
Operational details
The malicious Word document called Apply Form[.]docm that serves as the attack's starting point contains a macro that begins an unidentified PowerShell script. The material was uploaded from Jordan on August 25 according to Labs researchers.
The file appears to have been a component of a PowerShell phishing campaign that was created to look like a LinkedIn job offer in order to trick people into opening it. For an infection to succeed, the target must consent to the macro running.
Not much is available regarding the attack targets. SafeBreach estimates that roughly 100 victims will likely be impacted. The attackers engaged in phishing attacks intended only for job seekers.
The attack
The macro deletes the file updater.vbs, makes a scheduled job that appears to be a component of a Windows update, and runs the updater.vbs script from a phony update folder.
The PowerShell script that opens a remote-control backdoor on the box is then executed by the updater.vbs script.
Two PowerShell scripts, Script.ps1 and Temp.ps1, are produced by the virus. They disguise their material, save it in the Word document, then save it to the false update directory.
To assign a victim ID number and retrieve orders to run, Script.ps1 makes a call to the C2 server. It launches the Temp.ps1 script, which can be used to store data or conduct a PowerShell backdoor.
Closing lines
Microsoft recently modified the Office programs' default settings to prevent macros from being used in files that were downloaded from the internet. This attack method is ineffective if macros are turned off. However, the FUD PowerShell backdoor malware would operate and spy on the victim if the threat actor utilizes a different attack vector.