Endpoint Security , Fraud Management & Cybercrime , Social Engineering

Undetectable Backdoor Disguises as Windows Update

Campaign Related to LinkedIn Job Application Spear-Phishing Lure
Undetectable Backdoor Disguises as Windows Update
A spear-phishing lure used to infect computers with a previously undetectable PowerShell backdoor (Image: SafeBreach)

A previously unknown PowerShell backdoor disguises itself as part of the Windows update process. The backdoor scripts eluded detection by security vendors' scanners tested by VirusTotal and appear to have infected at least 69 victims, researchers say.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

The malware appears designed mainly for data exfiltration, say researchers from SafeBreach Labs, which spotted the backdoor.

Another researcher in August apparently also spotted it, tweeting screenshots of its activities.

"We strongly recommend that all security teams use the indicators of compromise we identified," Tomer Bar, director of security research at SafeBreach, told Information Security Media Group.

The firm's write-up shows the unique attack starting with a malicious Word document containing a macro code. The file metadata shows the document was related to a LinkedIn-based spear-phishing campaign purporting to send victims a job application.

In the next stage, the macro drops a VBScript that creates a scheduled task pretending to be part of a Windows update. A file named updater.vbs executes two PowerShell scripts - one for connecting with the command-and-control servers and another for executing the commands and uploading stolen data.

Both of scripts are obfuscated and, when SafeBreach ran them through VirusTotal, were not flagged as malicious.

The sophisticated coders behind the backdoor did make a mistake, SafeBreach says: They used predictable victim IDs. "When we first tested it, we got ID number 70, which means there were probably 69 victims prior to our test." That predictability allowed researchers to develop a script pretending to be each victim and see the results.

The commands downloaded and executed by the scripts included uploading to the attacker's server a list of active processes, enumerating local users, listing files, and even deleting them.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair is assistant editor for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.