More Than 60 Victims Hit by Stealthy New PowerShell Backdoor

Cybercriminals are using a novel, fully undetectable PowerShell backdoor in a recent series of attacks, seemingly focusing on exfiltrating data from compromised systems.

The perpetrators have targeted at least 60 so far and would’ve continued their spree undetected if not for an operations security mistake that gave their malicious operation away.

The initial phase of the attack consists of a phishing email hosting a malicious Word document attachment. Based on the file’s metadata, security experts believe that the campaign is likely tied to a LinkedIn job application spear phishing lure.

Upon further analysis, researchers discovered that it hosts malicious macros that deploy and execute an “updater.vbs” script. The script creates a scheduled task purporting to be a legitimate Windows update.

Before running the scheduled task, it generates two other PowerShell scripts, “Script.ps1” and “Temp.ps1,” using content hosted in obfuscated form by the malicious document.

“Script.ps1” establishes a connection to the threat actor’s command and control (C2, C&C) server, sends a target ID, and stands by for further commands transmitted securely using AES-256 CBC encryption.

The second script, “Temp.ps1,” decrypts the received commands, executes them, then encrypts and sends their results to the C2 through POST requests.

The crooks used a predictable ID count, which led researchers to conclude that the C&C previously received 69 more target IDs and helped them develop a script to decrypt the commands sent to each victim.

During the investigation, security experts discovered that most commands were used to exfiltrate data to the C2. The remainder helped the perps to enumerate files, users, and RDP clients and remove files and accounts from compromised systems.

Specialized security software such as Bitdefender Ultimate Security can steer you clear of backdoors and similar e-threats, thanks to an extensive library of features, including:

• Complete 24/7 data protection against viruses, Trojans, worms, ransomware, zero-day exploits, spyware, rootkits, and other types of cyberthreats
• Network threat prevention module that monitors, identifies, and blocks suspicious network-level activities
• Behavioral detection technology that closely monitors active apps and takes instant action to prevent infections
• Anti-phishing module that detects and blocks potentially harmful websites that mimic legitimate ones to steal your data