Undetectable Backdoor Disguises as Windows UpdateCampaign Related to LinkedIn Job Application Spear-Phishing Lure
A previously unknown PowerShell backdoor disguises itself as part of the Windows update process. The backdoor scripts eluded detection by security vendors' scanners tested by VirusTotal and appear to have infected at least 69 victims, researchers say.
The malware appears designed mainly for data exfiltration, say researchers from SafeBreach Labs, which spotted the backdoor.
Another researcher in August apparently also spotted it, tweeting screenshots of its activities.
"We strongly recommend that all security teams use the indicators of compromise we identified," Tomer Bar, director of security research at SafeBreach, told Information Security Media Group.
The firm's write-up shows the unique attack starting with a malicious Word document containing a macro code. The file metadata shows the document was related to a LinkedIn-based spear-phishing campaign purporting to send victims a job application.
In the next stage, the macro drops a VBScript that creates a scheduled task pretending to be part of a Windows update. A file named
updater.vbs executes two PowerShell scripts - one for connecting with the command-and-control servers and another for executing the commands and uploading stolen data.
Both of scripts are obfuscated and, when SafeBreach ran them through VirusTotal, were not flagged as malicious.
The sophisticated coders behind the backdoor did make a mistake, SafeBreach says: They used predictable victim IDs. "When we first tested it, we got ID number 70, which means there were probably 69 victims prior to our test." That predictability allowed researchers to develop a script pretending to be each victim and see the results.
The commands downloaded and executed by the scripts included uploading to the attacker's server a list of active processes, enumerating local users, listing files, and even deleting them.