Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update

Products You May Like

Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process.

“The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims,” Tomer Bar, director of security research at SafeBreach, said in a new report.

Attributed to an unnamed threat actor, attack chains involving the malware commence with a weaponized Microsoft Word document that, per the company, was uploaded from Jordan on August 25, 2022.


Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code.

PowerShell Backdoor

The PowerShell script (Script1.ps1) is designed to connect to a remote command-and-control (C2) server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script (temp.ps1).

But an operational security error made by the actor by using a trivial incremental identifier to uniquely identify each victim (i.e., 0, 1, 2, etc.) allowed for reconstructing the commands issued by the C2 server.


Some of the notable commands issued consist of exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files under the public user folders.

As of writing, 32 security vendors and 18 anti-malware engines flag the decoy document and the PowerShell scripts as malicious, respectively.

The findings come as Microsoft has taken steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, prompting threat actors to pivot to alternative delivery methods.

Cyber Security

Products You May Like

Articles You May Like

Millions of Android Devices Still Don’t Have Patches for Mali GPU Flaws
PS5 DualSense Edge Controller Pre-Order Now Live in India, Priced at Rs. 18,990
Get ready for a prolonged downturn that’s worse than 2000 or 2008, billionaire VC Doug Leone says
New RansomExx Ransomware Variant Rewritten in the Rust Programming Language
FIFA 2022: Madras HC Blocks TV Cable, Internet Service Providers From Streaming World Cup Matches

Leave a Reply

Your email address will not be published. Required fields are marked *