Reckless malware operators squandered an “undetectable” Windows backdoor

And they would have gotten away with it too if it weren’t for those meddling cybersecurity experts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A “fully undetectable” backdoor has been brought to light thanks to themalwareoperators’ reckless behavior.

Cybersecurity researchers from SafeBreach Labs claim to have detected a brand new PowerShell backdoor which, when executed properly, gives attackers remote access to compromised endpoints. From there, the attackers could launch all kinds of stage-two attacks, from infostealers, toransomware, and everything in-between.

According to the report, an unknown threat actor created a weaponized Word document, called “ApplyForm[.]docm”. It carried a macro which, if activated, launched an unknown PowerShell script.

Dropping the ball with scripts

“The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under ‘%appdata%\local\Microsoft\Windows,” the researchers explained.

Updater.vbs would then run a PowerShell script that would give the attacker remote access.

Before running the scheduled task, the malware generates two PowerShell scripts - Script.ps1 and Temp.ps1. The contents are hidden and placed in text boxes inside the Word file, which is then saved in the fake update directory. That way, antivirus solutions fail to identify the file as malicious.

Check out our rundown of the best endpoint protection software out there

This Linux backdoor went undetected for 10 years>Microsoft Exchange backdoors abused to spy on NGOs worldwide

Script.ps1 reaches out to the command & control server to assign a victim ID, and to receive further instructions. Then, it runs the Temp.ps1 script, which stores information, and runs the commands.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The mistake the attackers made was issuing victim IDs in a predictable sequence, allowing researchers to listen in on the conversations with the C2 server.

While who’s behind the attack remains a mystery, the malicious Word document was uploaded from Jordan in late August this year, and has compromised approximately one hundred devices so far, usually belonging to people looking for new employment opportunities.

One reader ofThe Registerdescribed their experience with the backdoor, offering advice to enterprises looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

“They havezero-trust[ZT] and Ringfencing so although the macro ran, it didn’t make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this.”

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more