SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.
More significantly, the malware may backdoor your Windows system by masquerading as part of the update process.
Tomer Bar, director of security research at SafeBreach, explains in an advisory that the software nasty and associated command-and-control (C2) backend appear to have been developed by a competent unknown miscreant – though one not savvy enough to avoid mistakes that allowed SafeBreach researchers to figure out what was going on, natch.
“The attack starts with a malicious Word document, which includes a macro that launches an unknown PowerShell script,” said Bar. “The name of the Word document is ‘Apply Form[.]docm.'”
According to Bar, the malicious Word document was uploaded from Jordan on August 25, 2022.
The file appears to have been part of a phishing campaign designed to look like a LinkedIn-based job offer, in order to entice victims to open it. The mark would have to allow the macro in the Word document to run for an infection to be successful.
Asked to provide more details, a SafeBreach spokesperson said, “We don’t have additional information about the targets, but we believe that this is a sophisticated targeted attack, possibly related to the phishing attempts targeted at job seekers.”
About 100 victims are said to have been affected.
“The macro drops
updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under
'%appdata%\local\Microsoft\Windows,” explained Bar.
updater.vbs script then runs a PowerShell script that opens a remote-control backdoor on the box.
According to Bar, prior to executing the scheduled task, the malware creates two PowerShell scripts,
Temp.ps1. Their content gets obfuscated and stored in text boxes within the Word file and gets saved to the fake update directory. As such, the scripts don’t get detected in VirusTotal.
Script.ps1 calls out to the C2 server to assign a victim ID number and to fetch commands to execute. It runs the
Temp.ps1 script, which will store information or execute PowerShell commands depending on the parameters passed by the initial script.
According to Bar, the attacker messed up by issuing victim identifiers in a predictable sequence. This allowed the security researchers to develop a script that presented each victim’s identifier to the backend system, so they could record the interactions with the C2 server in a packet capture. Thereafter they were able to use a second tool to extract the encrypted commands from the captured packets and decipher what the malware was doing.
Microsoft recently changed the default behavior of Office apps to block macros in files downloaded from the internet, something previously possible through a Trust Center policy.
We asked SafeBreach whether this might offer any protection.
“Yes, if macros are disabled, this attack vector won’t work,” a spokesperson said. “But if the threat actor uses a different attack vector (exploits for example instead of macros), the FUD PowerShell malware would work and spy on the victim.”