Cybercriminals are using a novel, fully undetectable PowerShell backdoor in a recent series of attacks, seemingly focusing on exfiltrating data from compromised systems.
The perpetrators have targeted at least 60 so far and would’ve continued their spree undetected if not for an operations security mistake that gave their malicious operation away.
The initial phase of the attack consists of a phishing email hosting a malicious Word document attachment. Based on the file’s metadata, security experts believe that the campaign is likely tied to a LinkedIn job application spear phishing lure.
Upon further analysis, researchers discovered that it hosts malicious macros that deploy and execute an “updater.vbs” script. The script creates a scheduled task purporting to be a legitimate Windows update.
Before running the scheduled task, it generates two other PowerShell scripts, “Script.ps1” and “Temp.ps1,” using content hosted in obfuscated form by the malicious document.
“Script.ps1” establishes a connection to the threat actor’s command and control (C2, C&C) server, sends a target ID, and stands by for further commands transmitted securely using AES-256 CBC encryption.
The second script, “Temp.ps1,” decrypts the received commands, executes them, then encrypts and sends their results to the C2 through POST requests.
The crooks used a predictable ID count, which led researchers to conclude that the C&C previously received 69 more target IDs and helped them develop a script to decrypt the commands sent to each victim.
During the investigation, security experts discovered that most commands were used to exfiltrate data to the C2. The remainder helped the perps to enumerate files, users, and RDP clients and remove files and accounts from compromised systems.
Specialized security software such as Bitdefender Ultimate Security can steer you clear of backdoors and similar e-threats, thanks to an extensive library of features, including:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024