Skip to Content

Windows FUD PS PowerShell Backdoor

Updated on 2022-10-19: Windows PowerShell Backdoor

Researchers from SafeBreach Labs have found a PowerShell backdoor that masquerades as part of the Windows Update process. The backdoor is being actively exploited to exfiltrate data. SafeBreach’s advisory includes a list of indicators of compromise.

Note

  • An interesting find and certainly new and different which makes it difficult to detect using legacy approaches. More modern approaches looking for unusual behaviors like connections to IPs without prior DNS activity (and connections to port 80 sending more data than they receive) should be able to spot this type of backdoor.
  • Beware of Word documents bearing gifts. In this case a Word document (Apply Form<dot>docm) with a macro which launches a PowerShell script. The document properties include information intended to make users believe it’s from a legitimate LinkedIn job application. Make sure that macros are enabled from trusted sources if they are enabled at all. The SafeBreach report includes not only IOCs but also the content of the PowerShell scripts. Take note when reading the SafeBreach report the acronym FUD means fully undetectable which is why you want the IOCs added to your defenses.

Read more in

Overview: FUD PS backdoor

SafeBreach researchers published a report on a new undetected PowerShell backdoor. Read more: SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor

“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims.”

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.