www.msn.com
Open in
urlscan Pro
204.79.197.203
Public Scan
URL:
https://www.msn.com/en-us/news/technology/fully-undetectable-windows-backdoor-gets-detected/ar-AA136Pig?ocid=entnews...
Submission: On October 26 via manual from MX — Scanned from DE
Submission: On October 26 via manual from MX — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
React
15 Comments|
68
SAFEBREACH SUPPOSEDLY SPOTS SOMEWHAT STEALTHY SUBVERSIVE SOFTWARE
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell
backdoor, which calls into question the accuracy of threat naming.…
More significantly, the malware may backdoor your Windows system by masquerading
as part of the update process.
Tomer Bar, director of security research at SafeBreach, explains in an advisory
that the software nasty and associated command-and-control (C2) backend appear
to have been developed by a competent unknown miscreant – though one not savvy
enough to avoid mistakes that allowed SafeBreach researchers to figure out what
was going on, natch.
"The attack starts with a malicious Word document, which includes a macro that
launches an unknown PowerShell script," said Bar. "The name of the Word document
is 'Apply Form[.]docm.'"
According to Bar, the malicious Word document was uploaded from Jordan on August
25, 2022.
The file appears to have been part of a phishing campaign designed to look like
a LinkedIn-based job offer, in order to entice victims to open it. The mark
would have to allow the macro in the Word document to run for an infection to be
successful.
Asked to provide more details, a SafeBreach spokesperson said, "We don't have
additional information about the targets, but we believe that this is a
sophisticated targeted attack, possibly related to the phishing attempts
targeted at job seekers."
About 100 victims are said to have been affected.
"The macro drops updater.vbs, creates a scheduled task pretending to be part of
a Windows update, which will execute the updater.vbs script from a fake update
folder under '%appdata%\local\Microsoft\Windows," explained Bar.
The updater.vbs script then runs a PowerShell script that opens a remote-control
backdoor on the box.
According to Bar, prior to executing the scheduled task, the malware creates two
PowerShell scripts, Script.ps1 and Temp.ps1. Their content gets obfuscated and
stored in text boxes within the Word file and gets saved to the fake update
directory. As such, the scripts don't get detected in VirusTotal.
Script.ps1 calls out to the C2 server to assign a victim ID number and to fetch
commands to execute. It runs the Temp.ps1 script, which will store information
or execute PowerShell commands depending on the parameters passed by the initial
script.
According to Bar, the attacker messed up by issuing victim identifiers in a
predictable sequence. This allowed the security researchers to develop a script
that presented each victim's identifier to the backend system, so they could
record the interactions with the C2 server in a packet capture. Thereafter they
were able to use a second tool to extract the encrypted commands from the
captured packets and decipher what the malware was doing.
Microsoft recently changed the default behavior of Office apps to block macros
in files downloaded from the internet, something previously possible through a
Trust Center policy.
We asked SafeBreach whether this might offer any protection.
"Yes, if macros are disabled, this attack vector won't work," a spokesperson
said. "But if the threat actor uses a different attack vector (exploits for
example instead of macros), the FUD PowerShell malware would work and spy on the
victim." ®
Microsoft may earn an Affiliate Commission if you purchase something through
recommended links in this article.
Continue reading
Join the conversation
15
--------------------------------------------------------------------------------
Sponsored Content
MORE FROM The Register
Google Alphabet reviewing every project after $6bn decline in profitsChip
shortages still dog carmakers despite weaker semiconductor demandShutterstock
partners with OpenAI to sell AI-generated stock images using DALL-E
Visit The Register
TRENDING STORIES
1. Ukraine Situation Report: Russia's Ka-52 Attack Helicopter Fleet Has Been
MassacredThe Drive
2. Woodward responds to Trump claim that he released tapes without
permissionWashington Examiner
3. NOPD: 1 arrested in connection with viral video of guns being fired off on
interstateWDSU New Orleans
4. 4-alarm fire at Sugar House construction site forces hundreds nearby to
evacuateKUTV Salt Lake City
MORE FOR YOU
* © 2022 Microsoft
* Privacy & Cookies
* Terms of use
* Advertise
Feedback