Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update

2022-10-19 10:09

Details have emerged about a previously undocumented and fully undetectable PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.

"The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims," Tomer Bar, director of security research at SafeBreach, said in a new report.

Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.

The PowerShell script is designed to connect to a remote command-and-control server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script.

An operational security error made by the actor by using a trivial incremental identifier to uniquely identify each victim allowed for reconstructing the commands issued by the C2 server.

As of writing, 32 security vendors and 18 anti-malware engines flag the decoy document and the PowerShell scripts as malicious, respectively.

News URL

https://thehackernews.com/2022/10/experts-warn-of-stealthy-powershell.html

#backdoor #powershell #windows