This Windows backdoor seemed invisible, but it isn't

This Windows backdoor seemed invisible, but it isn't

This Windows backdoor seemed invisible



An unprecedented PowerShell backdoor that fell into the FUD category was discovered by SafeBreach Labs. FUD backdoors, or Fully Undetectable, are those that are considered impossible to detect. But it seems that this backdoor is not worthy of the label.

The malware in question would act as a backdoor in Windows systems by disguising itself among the update processes. The company has posted a statement on its official website, by the hand of Tomer Bar, director of security research, explaining the situation in detail.

In essence, malicious software and its C2 backend denote a some competence on the part of those who took care of its development, however the preparation was not sufficient, given the presence of some errors that allowed the researchers to detect the backdoor.


Office Macros Can Be Used to Conduct Cyber ​​Attacks As described by Bar, the attack starts with a compromised Word document, something you may be familiar with. Inside, there is a macro that launches an unknown PowerShell script. The origin of this file should be Jordan, from which it was uploaded on 25 August 2022.| ); } The document was used as part of a phishing campaign, in the form of a job offer in the style of what was seen on LinkedIn. By downloading and opening the file, the macro starts the infection process.

At the moment, there is no information on the possible victims of the attacks, but they almost certainly fall within the audience of those looking for work.

In detail, the macro releases an updater.vbs file and creates a scheduled task that disguises itself as a Windows update. The latter starts the PowerShell script contained in the vbs file from a folder set to appear as a normal update target.


The error made by the developer, according to bar, lies in the identifiers assigned to users affected by the malware, whose sequence is predictable. Starting from this assumption, the researchers were able to create a script that presents the ID of the victims to the backend system, in order to record the interactions with the CS server via packet capture. With another tool, SafeBreach Labs was able to extract the encrypted commands from the acquired packages and reconstruct the functioning of the malware and the operations performed.








Powered by Blogger.