IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Undetectable PowerShell backdoor discovered hiding as Windows update

SafeBreach researchers identified the backdoor, which they say went undetected on all major antivirus programs

Cyber security firm SafeBreach has warned of a fully undetectable (FUD) PowerShell backdoor using a novel attack methodology.

The vulnerability, which researchers discovered in the wild, uses a PowerShell script to create a scheduled task in the victim’s system, disguised as a Windows update. To enhance the deception, the task executes a script named ‘updater.vbs’ from a fake update folder located in the victim’s appdata folder.

Related Resource

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Whitepaper cover with title on grey rectangle with top header banner and ESG logoFree Download

SafeBreach noted that this novel vector of attack makes it particularly dangerous, as antivirus aggregator VirusTotal found the attack was able to bypass all security software tested. The backdoor has thus been marked as FUD in a blog post by SafeBreach.

Attacks originate with a Word document, named ‘Apply Form.docm’, containing a macro code that deploys a malicious PowerShell script. Researchers identified the document as having been created in August 2022 in Jordan. The file’s Metadata, containing the term ‘Linkedin based job application’, suggests a link to the phishing campaigns that have seen a surge on LinkedIn in 2022.

Prior to execution of the updater script, two separate PowerShell scripts titled ‘Script.ps1’ and ‘Temp.ps1’ are created, and their contents are stored in obfuscated form within text boxes in the Word document. Script1.ps1 is used to establish a connection with the malicious operator’s command and control (C2) server, seeking commands to be executed. Commands are sent in the form of Advanced Encryption Standard (AES) 256 CBC encrypted strings, which are then decrypted through the GCHQ-made web app CyberChef.

Commands begin with a value of 0,1 or 2, which each invoke different responses from the Temp.ps1 script. Those that begin with 0 will be executed, with the output then encrypted using the same key, and uploaded to a URL through the C2. Commands that begin with 1 are read from a path designated through the C2 and executed, while those that begin with 2 are written to a designated path and executed.

SafeBreach researchers identified the exact URL the script connects to, using an HTTP GET request. When contacted for the first time, this returns a unique victim ID. The first test run by the team returned the number 70, leading to the conclusion that approximately 69 victims have been affected by the backdoor so far. Through the coding flaw of these predictable IDs, researchers wrote a script acting like each prior victim, and recorded the C2 commands received.

Based on this information, SafeBreach has found that 66% of commands sent thus far have been data exfiltration requests, while a minority have sought to delete files from victims’ public folders, list files in their special folders, or return their IP address.

“Our research team believes this threat is significant because it is fully undetectable and was shown to bypass all the security vendors' scanners under,” Tomer Bar, director of security research at SafeBreach told IT Pro.

“We strongly recommend that all security teams use the indicators of compromise (IOCs) we identified to better detect and protect themselves against this threat. We also suggest that the security mistakes we discovered by this threat actor be used by blue teams in their future digital forensics and incident response (DFIR) investigations.”

SafeBreach has added coverage for this backdoor on its security platform, and has listed all of the IOCs and PowerShell scripts it discovered within its blog post declaring the risk.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download


'CryWiper' trojan disguises as ransomware, says Kaspersky

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022
Hyundai vulnerability allowed remote hacking of locks, engine

Hyundai vulnerability allowed remote hacking of locks, engine

30 Nov 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Ransomware activity down 11% worldwide in Q3, but rise expected

Ransomware activity down 11% worldwide in Q3, but rise expected

20 Oct 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022