Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.
“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” Tomer Bar, director of security research at SafeBreach, said in a new report.
Attributed to an unnamed threat actor, attack chains involving the malware commence with a weaponized Microsoft Word document that, per the company, was uploaded from Jordan on August 25, 2022.
Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.
“The Macro drops ‘updater.vbs,’ creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under ‘%appdata%\local\Microsoft\Windows,'” Tomar said.
images from Hacker News