Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.
“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” Tomer Bar, director of security research at SafeBreach, said in a new report.
Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.
“The Macro drops ‘updater.vbs,’ creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under ‘%appdata%\local\Microsoft\Windows,'” Tomar said.
The PowerShell script (Script1.ps1) is designed to connect to a remote command-and-control (C2) server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script (temp.ps1).
But an operational security error made by the actor by using a trivial incremental identifier to uniquely identify each victim (i.e., 0, 1, 2, etc.) allowed for reconstructing the commands issued by the C2 server.
Some of the notable instructions transmitted consist of exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files under the public user folders.
As of writing, 32 security vendors and 18 anti-malware engines flag the decoy document and the PowerShell scripts as malicious, respectively.
The findings come as Microsoft has taken steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, prompting threat actors to pivot to alternative delivery methods.