"Undetectable PowerShell Backdoor Discovered Hiding as Windows Update"

SafeBreach, a cybersecurity firm, has warned of a fully undetectable PowerShell backdoor that uses a novel attack methodology. A vulnerability discovered in the wild uses a PowerShell script to create a scheduled task on the victim's system disguised as a Windows update. The task runs a script called 'updater.vbs' from a fake update folder in the victim's appdata folder, adding to the deception. According to SafeBreach, this novel vector of attack makes it dangerous, as the antivirus aggregator VirusTotal discovered the attack could bypass all security software tested. As a result, SafeBreach labeled the backdoor as fully undetectable. The attacks begin with a Word document named 'Apply Form.docm' containing macro code that launches a malicious PowerShell script. The document was created in Jordan in August 2022, according to researchers. The Metadata in the file, which contains the term 'Linkedin based job application,' suggests a link to the phishing campaigns that have seen an increase on LinkedIn in 2022. Prior to running the updater script, two separate PowerShell scripts are created, titled 'Script.ps1' and 'Temp.ps1,' and their contents are stored in obfuscated form within text boxes in the Word document. Script1.ps1 is used to connect to the malicious operator's command-and-control (C2) server in order to execute commands. Commands are sent as Advanced Encryption Standard (AES) 256 CBC encrypted strings, which are decrypted using the GCHQ-developed web app CyberChef. This article continues to discuss findings regarding the undetectable PowerShell backdoor.

ITPro reports "Undetectable PowerShell Backdoor Discovered Hiding as Windows Update"