Security News > 2022 > October > Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update
Details have emerged about a previously undocumented and fully undetectable PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.
"The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims," Tomer Bar, director of security research at SafeBreach, said in a new report.
Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.
The PowerShell script is designed to connect to a remote command-and-control server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script.
An operational security error made by the actor by using a trivial incremental identifier to uniquely identify each victim allowed for reconstructing the commands issued by the C2 server.
As of writing, 32 security vendors and 18 anti-malware engines flag the decoy document and the PowerShell scripts as malicious, respectively.
News URL
https://thehackernews.com/2022/10/experts-warn-of-stealthy-powershell.html