Threat Research

WorkersDevBackdoor Delivered via Malvertising

Securonix

eSentire’s Threat Response Unit (TRU) detected a .NET backdoor named WorkDevBackdoor delivered via malvertising, employing an NSIS-installer and PowerShell to achieve persistence and data exfiltration. The campaign uses a drive-by download, RC4 encryption, and HTTP-based C2 communications to enable lateral movement and keystroke logging. #WorkDevBackdoor #ThunderShell #ParcelRAT #SMOKEDHAM #Advanced_IP_Scanner #PowerShell #WMIC #Malvertising

Keypoints

  • The backdoor identified is named WorkDevBackdoor and was detected in November 2023 affecting a business services customer.
  • Infection occurs via a drive-by download from a fraudulent online ad, with a malicious NSIS installer unpacked from WindowsDev.7z.
  • The NSIS.ini script implements checks and creates persistence using Registry Run Keys to launch a shortcut that starts the backdoor.
  • The payload is a .NET backdoor loaded in memory, with a PowerShell-based chain and RC4/base64 encryption coordinating with a C2 over HTTP(S).
  • Lateral movement and data collection are performed using commands like WMIC and xcopy, and keystroke logging is implemented to exfiltrate user input.
  • Defensive lessons emphasize multiple layers of defense, caution with software downloads, LOLBin usage, and the need for proactive threat hunting.
  • TRU notes that similar infection chains have been described publicly, underscoring the evolving tactics visible in this campaign.

MITRE Techniques

  • [T1189] Drive-by Compromise – “The initial infection vector was a drive-by download via a Google Search advertisement. “
  • [T1547.001] Registry Run Keys / Startup Folder – “The script creates the persistence via Registry Run Keys with the value “PressAnyKey” to run the shortcut file at C:ProgramDataMicrosoftLogConverterMicrosoft.NodejsTools.PressAnyKey.lnk.”
  • [T1059.001] PowerShell – “The batch file NodejsToolsVsix.bat contains the code to set the PowerShell Path… then it executes the batch script via InvokeScript.”
  • [T1027] Obfuscated/Encrypted Files or Information – “The formatted string is then encrypted with RC4 with the hardcoded key in the PowerShell script, gets base64-encoded.”
  • [T1047] Windows Management Instrumentation – “”C:WindowsSystem32WbemWMIC.exe” /node: process call create “cmd.exe /c c:programdataMicrosoftLogConverterMicrosoft.NodejsTools.PressAnyKey.lnk” (the threat actor attempted to move laterally to another host via WMIC)”
  • [T1071.001] Web Protocols – “The POST request … to C2 in the following JSON format: {“UUID”:,”ID”:”…”,”Data”:}”
  • [T1056.001] Input Capture – “The backdoor also has keylogger functionality and retrieves the title of the currently active window.”

Indicators of Compromise

  • [File] Malicious artifacts – Advanced_IP_Scanner_2.5.4594.1, LogConverter, and 6 more hashes
  • [File] Executables – Microsoft.NodejsTools.PressAnyKey.exe, Microsoft.NodejsTools.PressAnyKey.lnk, and 2 more items
  • [Hash] 521210e39b5b8364d34e62cb3cb9e9cd, a607e92aa155168de57e39d3b0d1b7e0
  • [Domain] C2 domains – cdn-us-tech.wtf-system-4759011.workers[.]dev, cdn-us-tech.wtf-system-4758995[.]workers.dev
  • [File] WorkDevBackdoor – d606255c411445b210ecd437faa6b43e

Read more: https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint