SafeBreach Labs uncovered a new fully undetectable PowerShell backdoor that disguises itself as part of the Windows update process and has targeted about 100 victims. The attack chain starts with a malicious Word document (Apply Form.docm) and culminates in C2-driven PowerShell scripts that perform AD and RDP discovery before exfiltrating data. #PowerShellBackdoor #LinkedInSpearphishing
Keypoints
- The researchers discovered a fully undetectable (FUD) PowerShell backdoor that masquerades as a Windows update component and targeted roughly 100 victims.
- Infection starts with a malicious Word document named “Apply Form.docm” containing a macro that launches a PowerShell script.
- The macro drops updater.vbs, creates a scheduled task, and runs the PowerShell scripts from a fake Windows Update folder under %appdata%LocalMicrosoftWindowsUpdate.
- Two obfuscated PowerShell scripts (Script.ps1 and Temp.ps1) are created; their contents are stored in text boxes within the Word document and saved to the fake update directory, with 0-detection on VirusTotal.
- Communications to the C2 occur via HTTP GET/POST to hxxp://45.89.125.189, with AES-256-CBC encrypted responses and a unique victim ID used to fetch commands.
- The C2 delivers commands that include AD/RA enumeration, local user discovery, and various system discovery tasks; commands are decoded and executed by Temp.ps1 with multiple execution modes (0, 1, 2).
- Researchers exposed operational security mistakes by the actor (e.g., predictable victim IDs) and provided IOCs to aid detection and defense; SafeBreach added coverage to simulate this attack in their platform.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – The attack starts with a malicious Word document, which includes a macro code that launches an unknown PowerShell script. ‘The name of the Word document is “Apply Form.docm.”’
- [T1059.001] PowerShell – The Macro drops updater.vbs and ultimately triggers execution of PowerShell scripts saved in a fake update directory. ‘The Macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update…’
- [T1053.005] Scheduled Task – The malware creates a scheduled task to execute updater.vbs from a fake update folder. ‘The malicious Word document… will execute the updater.vbs script from a fake update folder under “%appdata%localMicrosoftWindows.”’
- [T1027] Obfuscated/Compressed Files and Information – The two PowerShell scripts are obfuscated and FUD with 0 detection. ‘Both scripts are obfuscated and FUD with 0 detection in VirusTotal.’
- [T1071.001] Web Protocols – The C2 communications use HTTP GET/POST to fetch commands and exfiltrate data. ‘scripts connects to the C2 server… by sending an HTTP GET request’ and ‘HTTP POST request to the same URL…’
- [T1012] Registry – The malware enumerates registry entries (e.g., Get-ChildItem Registry::HKCUSoftwareMicrosoftTerminal Server ClientServers). ‘Get-ChildItem “Registry::HKCUSoftwareMicrosoftTerminal Server ClientServers”’
- [T1069.002] Active Directory Discovery – The PowerShell payload includes Active Directory users enumeration. ‘execution of a full PowerShell code for Active Directory users enumeration and remote desktop enumeration.’
- [T1033] System Owner/User Discovery – The malware queries domain users/admins and runs whoami-related commands. ‘The malicious script queries the domain controller for all users and for all administrators.’
Indicators of Compromise
- [URL] C2 endpoints – hxxp://45.89.125.189/put, hxxp://45.89.125.189/get
- [File] Apply Form.docm – 45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50
- [File] Updater.vbs – 54ed729f7c495c7baa7c9e4e63f8cf496a8d8c89fc10da87f2b83d5151520514
- [File] Script.ps1 – bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332
- [File] Temp.ps1 – 16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55
- [Hash] PowerShell command content (example) – 0!@#EWQ639¦+.x7.function Convert-LDAPProperty {