Threat Research

Undetected PowerShell Backdoor Disguised as a Profile File

Securonix

A PowerShell-based backdoor masquerades as a profile file (Microsoft.PowerShell_profile.ps1) to gain persistence and stealthy execution, using heavy obfuscation and runspaces to fetch and run payloads from a remote C2 server. The operation demonstrates a multi-stage, encrypted delivery chain with JSON responses, campaign identifiers, and randomization to evade detection. #PowerShell #PowerShellProfile

Keypoints

  • The attacker uses the file name Microsoft.PowerShell_profile.ps1, a familiar PowerShell profile name, to enable persistence as profiles are executed on PowerShell startup.
  • The script is heavily obfuscated with string arrays split by random tokens and ends with an Invoke-Expression to execute deobfuscated code.
  • The payload creates a script-block and runs it in a dedicated PowerShell runspace, enabling stealthy, persistent execution.
  • The malware collects the system UUID via WMI (get-wmiobject Win32_ComputerSystemProduct).uuid) and contacts a C2 server to register the host.
  • The C2 address shown is http://190.14.37.245:8000, and the JSON response includes an encoded script and RSA-related data for the next stage.
  • The campaign uses a campaign_id (e.g., bpjyzskvedozncrw) and continues to poll for tasks, downloading and executing encoded scripts as instructed by the C2.
  • The researchers note the C2 (190.14.37.254) remained active while observing, and a honeypot was used to capture activity.

MITRE Techniques

  • [T1546.013] PowerShell Profile – “The attacker nicely selected this name because this is a familiar name used by Microsoft to manage PowerShell profiles.” and “Everything you launch a PowerShell, it will look for several locations, and if a file is found, it will execute it. Note that it’s also an excellent way to implement persistence because the malicious code will be re-executed every time a new PowerShell is launched.”
  • [T1059.001] PowerShell – “The last line of the script is very long passed to an Invoke-Expression.”
  • [T1027] Obfuscated/Compressed Files and Information – “The obfuscation technique is pretty good: Arrays of interesting strings are created but split using random strings.”
  • [T1059.001] PowerShell – “The script creates a script-block and executes a runspace.”
  • [T1071.001] Web Protocols – “The script will try to contact a C2 server and submit the system UUID, probably to create the ‘bot’ on the C2 side.”
  • [T1082] System Information Discovery – “UUID = (get-wmiobject Win32_ComputerSystemProduct).uuid;”

Indicators of Compromise

  • [FileName] context – Microsoft.PowerShell_profile.ps1
  • [Hash] context – a3d265a0ab00466aab978d0ccf94bb48808861b528603bddead6649eea7c0d16
  • [IP] context – 190.14.37.245, 190.14.37.254
  • [URL] context – http://190.14.37.245:8000

Read more: https://isc.sans.edu/diary/Undetected%20PowerShell%20Backdoor%20Disguised%20as%20a%20Profile%20File/29930

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint