Thanks to the malware, a “completely undetectable” backdoor was brought to light (opens in new tab) careless behavior of the operators.
Cybersecurity researchers at SafeBreach Labs claim to have discovered a brand new PowerShell backdoor that, if executed properly, allows attackers remote access to compromised endpoints. From there, attackers could launch all manner of second-tier attacks, from infostealers to ransomware (opens in new tab)and everything in between.
According to the report, an unknown attacker stole a weaponized Word document called “ApplyForm[.]docm”. It contained a macro that, when activated, launched an unknown PowerShell script.
Drop the ball with scripts
“The macro deletes updater.vbs, creates a scheduled task pretending to be part of a Windows update that runs the updater.vbs script from a fake update folder at ‘%appdata%\local\Microsoft\Windows’ ‘ the researchers explained.
Updater.vbs would then run a PowerShell script granting remote access to the attacker.
Before running the scheduled task, the malware generates two PowerShell scripts – Script.ps1 and Temp.ps1. The content is hidden and placed in text boxes within the Word file, which is then stored in the fake update directory. This way antivirus solutions cannot identify the file as malicious.
Script.ps1 contacts the Command & Control server to assign a victim ID and receive further instructions. Then it runs the Temp.ps1 script that saves information and runs the commands.
The mistake the attackers made was to issue victim IDs in a predictable order, allowing researchers to eavesdrop on conversations with the C2 server.
Who is behind the attack remains a mystery, but the malicious Word document was uploaded from Jordan in late August this year and has so far compromised about a hundred devices, usually owned by people looking for new employment opportunities.
A reader of The registry (opens in new tab) described their experiences with the backdoor and offered advice to companies looking to mitigate the damage that unknown backdoors can cause.
“I run an MSP and we were made aware of this on October 3rd. The client was a 330-seat charity and I didn’t link it to this particular article until I read it this morning.”
“You have zero faith [ZT] and ringfencing, so the macro ran but didn’t make it outside of Excel,” they said. “A subtle reminder to integrate a ZT solution in critical environments as it can stop such zero-day stuff.”
About: The Register (opens in new tab)
https://www.techradar.com/news/reckless-malware-operators-squandered-an-undetectable-windows-backdoor Reckless malware operators squandered an “undetectable” Windows backdoor