Updated on 2022-10-19: Windows PowerShell Backdoor
Researchers from SafeBreach Labs have found a PowerShell backdoor that masquerades as part of the Windows Update process. The backdoor is being actively exploited to exfiltrate data. SafeBreach’s advisory includes a list of indicators of compromise.
Note
- An interesting find and certainly new and different which makes it difficult to detect using legacy approaches. More modern approaches looking for unusual behaviors like connections to IPs without prior DNS activity (and connections to port 80 sending more data than they receive) should be able to spot this type of backdoor.
- Beware of Word documents bearing gifts. In this case a Word document (Apply Form<dot>docm) with a macro which launches a PowerShell script. The document properties include information intended to make users believe it’s from a legitimate LinkedIn job application. Make sure that macros are enabled from trusted sources if they are enabled at all. The SafeBreach report includes not only IOCs but also the content of the PowerShell scripts. Take note when reading the SafeBreach report the acronym FUD means fully undetectable which is why you want the IOCs added to your defenses.
Read more in
- SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor
- ‘Fully undetectable’ Windows backdoor gets detected
- Hackers use new stealthy PowerShell backdoor to target 60+ victims
- Undetectable Backdoor Disguises as Windows Update
Overview: FUD PS backdoor
SafeBreach researchers published a report on a new undetected PowerShell backdoor. Read more: SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor
“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims.”