Researchers have discovered a new, undetected PowerShell backdoor that is actively being used by threat actors in the wild. Based on the features found within the backdoor, it appears that its primary purpose is to exfiltrate data from the compromised system.
The infection vector used for this backdoor is that of a phishing email containing a malicious attachment called “Apply Form.docm.” The lure appears to be a LinkedIn-based job application, with the malicious attachment masquerading as an application form. The document contains macros that, when executed, will create a VBS script that creates a scheduled task to impersonate a Windows update. The script then creates and executes two PowerShell scripts that act as the main backdoor payload. The first script connects to the attacker’s C2 server, sending a sequentially generated victim ID, and then awaits further commands. When a command is received from the C2 server, the second script decodes and decrypts the command, executes it, and then encrypts and uploads the results back to the C2 server. At the time of analysis, both of these PowerShell scripts were completely undetected on VirusTotal, making it unlikely that any security product would be able to detect them.
Based on the analysis of the commands sent to the backdoor, a vast majority were related to data exfiltration, with the others used for user enumeration, file listings, removal of files and accounts, and enumerating RDP servers. At the time of reporting, it is believed that around 69 victims have been infected with this backdoor, based on the victim ID received by the researchers.