Researchers have discovered a new, undetected PowerShell backdoor that is actively being used by threat actors in the wild. Based on the features found within the backdoor, it appears that its primary purpose is to exfiltrate data from the compromised system.
The infection vector used for this backdoor is that of a phishing email containing a malicious attachment called “Apply Form.docm.” The lure appears to be a LinkedIn-based job application, with the malicious attachment masquerading as an application form. The document contains macros that, when executed, will create a VBS script that creates a scheduled task to impersonate a Windows update. The script then creates and executes two PowerShell scripts that act as the main backdoor payload. The first script connects to the attacker’s C2 server, sending a sequentially generated victim ID, and then awaits further commands. When a command is received from the C2 server, the second script decodes and decrypts the command, executes it, and then encrypts and uploads the results back to the C2 server. At the time of analysis, both of these PowerShell scripts were completely undetected on VirusTotal, making it unlikely that any security product would be able to detect them.
Based on the analysis of the commands sent to the backdoor, a vast majority were related to data exfiltration, with the others used for user enumeration, file listings, removal of files and accounts, and enumerating RDP servers. At the time of reporting, it is believed that around 69 victims have been infected with this backdoor, based on the victim ID received by the researchers.
It is highly recommended to implement and maintain good email security products to help detect phishing emails and malicious attachments. It is also recommended to implement an attachment file type block list, if possible, to help prevent attachments with specific file extensions from being delivered to end users. In this scenario, the threat actors used “.docm” files to deliver their malicious payload, which for most organizations would likely be considered an abnormal or suspicious attachment type for incoming emails. By maintaining a strong security posture at the email level, an organization can help prevent these malicious payloads from even reaching the end user. In cases where an email does make it through and an end user executes it, it is recommended to have good security endpoint controls, such as an EDR, on all devices in the environment. While this backdoor is currently undetected, security controls will eventually create signatures for it, thus potentially allowing for the endpoint control to prevent its execution. In cases where prevention does not occur, maintaining strong detections is highly recommended to alert analysts to a potential infection. The infection payload and backdoor itself exhibit abnormal behavior that would make for good detection opportunities on a system. Activity like Word creating a VBS or PowerShell script, a VBS script creating a scheduled task meant to look like a Windows update, and PowerShell making outbound network connections that match C2 beaconing behavior are all activities that would be considered suspicious on and endpoint. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.