Reckless malware operators squandered an "undetectable" Windows backdoor

Red padlock open on electric circuits network dark red background

(Image credit: Shutterstock/Chor muang)

A “fully undetectable” backdoor has been brought to light thanks to the malware operators’ reckless behavior.

Cybersecurity researchers from SafeBreach Labs claim to have detected a brand new PowerShell backdoor which, when executed properly, gives attackers remote access to compromised endpoints. From there, the attackers could launch all kinds of stage-two attacks, from infostealers, to ransomware, and everything in-between.

According to the report, an unknown threat actor created a weaponized Word document, called “ApplyForm[.]docm”. It carried a macro which, if activated, launched an unknown PowerShell script.

Dropping the ball with scripts

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained.

Updater.vbs would then run a PowerShell script that would give the attacker remote access.

Before running the scheduled task, the malware generates two PowerShell scripts - Script.ps1 and Temp.ps1. The contents are hidden and placed in text boxes inside the Word file, which is then saved in the fake update directory. That way, antivirus solutions fail to identify the file as malicious.

> Check out our rundown of the best endpoint protection software out there

> This Linux backdoor went undetected for 10 years

> Microsoft Exchange backdoors abused to spy on NGOs worldwide

Script.ps1 reaches out to the command & control server to assign a victim ID, and to receive further instructions. Then, it runs the Temp.ps1 script, which stores information, and runs the commands.

The mistake the attackers made was issuing victim IDs in a predictable sequence, allowing researchers to listen in on the conversations with the C2 server.

While who's behind the attack remains a mystery, the malicious Word document was uploaded from Jordan in late August this year, and has compromised approximately one hundred devices so far, usually belonging to people looking for new employment opportunities.

One reader of The Register described their experience with the backdoor, offering advice to enterprises looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."

Check out the best free office software right now

Via: The Register

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.