The SafeBreach Labs research team has detected a new fully undetectable (FUD) PowerShell backdoor that masquerades itself as part of the Windows update process.
“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” Tomer Bar, director of security research at SafeBreach.
The Working of the FUD Powershell Backdoor
This attack initially begins with a weaponized Word document that consists of a macro code that launches an unknown PowerShell script.
Researchers say metadata of the file discloses this campaign was associated with an alleged LinkedIn-based job application ‘spearphishing lure’.
In this case, two PowerShell scripts are designed, the first one is to connect to a remote command-and-control (C2) server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script.
Also, researchers say the threat actor made a crucial operations security mistake by using predictable victims’ IDs. The attacker messed up by issuing victim identifiers in a predictable sequence.
During the analysis, a few notable commands were issued like exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files under the public user folders.
Notably, Microsoft in recent times changed the default behavior of Office apps to block macros in files downloaded from the internet.
Reports say, Microsoft has taken steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, prompting threat actors to pivot to alternative delivery methods.
Therefore, researchers say “this unrecognized type of malware managed to bypass all the security vendors’ scanners under VirusTotal.com”.
Cyber Attack with Zero Trust Networking – Download Free E-Book