Select Page

Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.

“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” Tomer Bar, director of security research at SafeBreach, said in a new report.

Attributed to an unnamed threat actor, attack chains involving the malware commence with a weaponized Microsoft Word document that, per the company, was uploaded from Jordan on August 25, 2022.

Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.

“The Macro drops ‘updater.vbs,’ creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under ‘%appdata%\local\Microsoft\Windows,'” Tomar said.

images from Hacker News