Due to the malware operators' careless behaviour, a "completely undetectable" backdoor has been discovered.
SafeBreach Labs claims to have discovered a brand new PowerShell backdoor that, when properly executed, grants attackers remote access to compromised endpoints. From there, the attackers could launch a variety of stage-two attacks, ranging from data stealers to ransomware (opens in new tab) and everything in between.
Based on the report, an unknown threat actor created "ApplyForm[.]docm," a weaponized Word document. It contained a macro that, when activated, ran an unknown PowerShell script.
"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained
Updater.vbs would then execute a PowerShell script, granting the attacker remote access. The malware creates two PowerShell scripts, Script.ps1 and Temp.ps1, before running the scheduled task. The contents are concealed and placed in text boxes within the Word document, which is then saved in the fictitious update directory. As a result, antivirus software fails to identify the file as malicious.
Script.ps1 connects to the command and control server to assign a victim ID and receive additional instructions. Then it executes the Temp.ps1 script, which stores data and executes commands. The attackers made the mistake of issuing victim IDs in a predictable sequence, which allowed researchers to listen in on conversations with the C2 server.
While it is unknown who is behind the attack, the malicious Word document was uploaded from Jordan in late August of this year and has so far compromised approximately one hundred devices, most of which belong to people looking for new jobs. The Register reader described their encounter with the backdoor, offering advice to businesses looking to mitigate the damage that unknown backdoors can cause.
“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."
"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNa4r74uzosqolnHS5MnDyUvt9nXWPdg3wL97gLftuvlG9FY2gBYpaZvGajdteprkuTbPJSh4m7KQSeeiC15XtIJ5BjntOtXdhtKfdnc0Z3Dq9RMYAqLC-CQshzPCdgS1652VpCrKT0wjuVnqEjxGPJFo6HecK8gC4xSzwn76g7pwR-a01zhITmcTm/s600/pexels-miguel-%C3%A1-padri%C3%B1%C3%A1n-343457%20%282%29.jpg&url=https://www.cysecurity.news/2022/10/irresponsibile-malware-operators.html&description=Irresponsibile Malware Operators Squandered an "Undetectable" Windows Backdoor){kind=link}