Undetectable PowerShell backdoor discovered hiding as Windows update

Cyber security firm SafeBreach has warned of a fully undetectable (FUD) PowerShell backdoor using a novel attack methodology.

The vulnerability, which researchers discovered in the wild, uses a PowerShell script to create a scheduled task in the victim’s system, disguised as a Windows update. To enhance the deception, the task executes a script named ‘updater.vbs’ from a fake update folder located in the victim’s appdata folder.

SafeBreach noted that this novel vector of attack makes it particularly dangerous, as antivirus aggregator VirusTotal found the attack was able to bypass all security software tested. The backdoor has thus been marked as FUD in a blog post by SafeBreach.

Attacks originate with a Word document, named ‘Apply Form.docm’, containing a macro code that deploys a malicious PowerShell script. Researchers identified the document as having been created in August 2022 in Jordan. The file’s Metadata, containing the term ‘Linkedin based job application’, suggests a link to the phishing campaigns that have seen a surge on LinkedIn in 2022.

Prior to execution of the updater script, two separate PowerShell scripts titled ‘Script.ps1’ and ‘Temp.ps1’ are created, and their contents are stored in obfuscated form within text boxes in the Word document. Script1.ps1 is used to establish a connection with the malicious operator’s command and control (C2) server, seeking commands to be executed. Commands are sent in the form of Advanced Encryption Standard (AES) 256 CBC encrypted strings, which are then decrypted through the GCHQ-made web app CyberChef.

Commands begin with a value of 0,1 or 2, which each invoke different responses from the Temp.ps1 script. Those that begin with 0 will be executed, with the output then encrypted using the same key, and uploaded to a URL through the C2. Commands that begin with 1 are read from a path designated through the C2 and executed, while those that begin with 2 are written to a designated path and executed.

SafeBreach researchers identified the exact URL the script connects to, using an HTTP GET request. When contacted for the first time, this returns a unique victim ID. The first test run by the team returned the number 70, leading to the conclusion that approximately 69 victims have been affected by the backdoor so far. Through the coding flaw of these predictable IDs, researchers wrote a script acting like each prior victim, and recorded the C2 commands received.

Based on this information, SafeBreach has found that 66% of commands sent thus far have been data exfiltration requests, while a minority have sought to delete files from victims’ public folders, list files in their special folders, or return their IP address.

“Our research team believes this threat is significant because it is fully undetectable and was shown to bypass all the security vendors' scanners under VirusTotal.com,” Tomer Bar, director of security research at SafeBreach told IT Pro.

“We strongly recommend that all security teams use the indicators of compromise (IOCs) we identified to better detect and protect themselves against this threat. We also suggest that the security mistakes we discovered by this threat actor be used by blue teams in their future digital forensics and incident response (DFIR) investigations.”

SafeBreach has added coverage for this backdoor on its security platform, and has listed all of the IOCs and PowerShell scripts it discovered within its blog post declaring the risk.