2 min read

More Than 60 Victims Hit by Stealthy New PowerShell Backdoor

Vlad CONSTANTINESCU

October 20, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
More Than 60 Victims Hit by Stealthy New PowerShell Backdoor

Cybercriminals are using a novel, fully undetectable PowerShell backdoor in a recent series of attacks, seemingly focusing on exfiltrating data from compromised systems.

The perpetrators have targeted at least 60 so far and would’ve continued their spree undetected if not for an operations security mistake that gave their malicious operation away.

The initial phase of the attack consists of a phishing email hosting a malicious Word document attachment. Based on the file’s metadata, security experts believe that the campaign is likely tied to a LinkedIn job application spear phishing lure.

Upon further analysis, researchers discovered that it hosts malicious macros that deploy and execute an “updater.vbs” script. The script creates a scheduled task purporting to be a legitimate Windows update.

Before running the scheduled task, it generates two other PowerShell scripts, “Script.ps1” and “Temp.ps1,” using content hosted in obfuscated form by the malicious document.

“Script.ps1” establishes a connection to the threat actor’s command and control (C2, C&C) server, sends a target ID, and stands by for further commands transmitted securely using AES-256 CBC encryption.

The second script, “Temp.ps1,” decrypts the received commands, executes them, then encrypts and sends their results to the C2 through POST requests.

The crooks used a predictable ID count, which led researchers to conclude that the C&C previously received 69 more target IDs and helped them develop a script to decrypt the commands sent to each victim.

During the investigation, security experts discovered that most commands were used to exfiltrate data to the C2. The remainder helped the perps to enumerate files, users, and RDP clients and remove files and accounts from compromised systems.


Specialized security software such as Bitdefender Ultimate Security can steer you clear of backdoors and similar e-threats, thanks to an extensive library of features, including:

  • Complete 24/7 data protection against viruses, Trojans, worms, ransomware, zero-day exploits, spyware, rootkits, and other types of cyberthreats
  • Network threat prevention module that monitors, identifies, and blocks suspicious network-level activities
  • Behavioral detection technology that closely monitors active apps and takes instant action to prevent infections
  • Anti-phishing module that detects and blocks potentially harmful websites that mimic legitimate ones to steal your data

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison
Vlad CONSTANTINESCU

December 05, 2022

1 min read
Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data
Filip TRUȚĂ

December 05, 2022

1 min read
Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info
Alina BÎZGĂ

December 02, 2022

2 min read