>
The malware has revealed a “completely undetectable” backdoor (opens in new tab) reckless behavior of operators.
Cybersecurity researchers at SafeBreach Labs claim to have detected a brand new PowerShell backdoor that, if executed correctly, allows attackers to remotely access compromised endpoints. From there, the attackers were able to launch all kinds of phase two attacks, from infostealers to ransomware (opens in new tab)and everything in between.
According to the report, an unknown threat actor has created a weaponized Word document called “ApplyForm”[.]docm”. It contained a macro that, when activated, launched an unknown PowerShell script.
Drop the ball with scripts
“The macro drops updater.vbs, creates a scheduled task that occurs as part of a Windows update, which will run the updater.vbs script from a fake update folder under ‘%appdata%localMicrosoftWindows’ , the researchers explain.
Updater.vbs would then run a PowerShell script that would give the attacker remote access.
Before running the scheduled task, the malware generates two PowerShell scripts: Script.ps1 and Temp.ps1. The content is hidden and placed in text boxes in the Word file, which is then saved in the fake updates folder. That way, antivirus solutions cannot identify the file as malicious.
Script.ps1 contacts the command & control server to assign a victim ID and receive further instructions. It then runs the Temp.ps1 script, which stores information, and executes the commands.
The mistake the attackers made was issuing victim IDs in a predictable order, allowing investigators to eavesdrop on conversations with the C2 server.
While it remains a mystery who is behind the attack, the malicious Word document was uploaded from Jordan in late August this year and has compromised about a hundred devices so far, mostly belonging to people looking for a new job.
A reader of The register (opens in new tab) described their experience with the backdoor and offered advice to companies looking to limit the damage unknown backdoors can cause.
“I run an MSP and we were made aware of this on October 3rd. The client was a 330-seat charity and I didn’t link it to this particular article until I read it this morning.”
“They have no confidence” [ZT] and Ringfencing, so even though the macro was running, it didn’t get outside of Excel,” they said. “A subtle reminder to include a ZT solution in critical environments because it can stop zero-day things like this.”
Through: The register (opens in new tab)