PowerShell backdoor on Windows (0day)

Security researchers from SafeBreach recently discovered a previously unknown PowerShell backdoor in Windows. It uses a malicious Word document to import PowerShell scripts.

The backdoor can affect users of Active Directory and remote desktops.

0day bw

The details are in the publication SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor. The backdoor has some special features.

On August 25, 2022, a malicious Word Apply Form.docm document was first distributed. The Word document contained macro code that launched an unknown PowerShell script.

The macro downloaded the updater.vbs file to the victim's system and created a scheduled task in Windows that pretended to be part of a Windows update.

This scheduled task then ran the updater.vbs script from the “%appdata%\local\Microsoft\Windows” folder. However, this process requires administrative permissions.
The updater.vbs script then ran a PowerShell script.

Before running the scheduled task, two PowerShell scripts named Script.ps1 and Temp.ps1 are created. The contents of the PowerShell scripts are stored in text fields within the Word document and in the appdata directory that is created. Both scripts are not detected as malicious by Virustotal.

The first PowerShell Script1.ps1 connects to a C2 server to receive commands to execute. Parses the commands and runs Temp.ps1 for each command with the c parameter.

Security researchers were able to run specific commands on victims' systems and were able to:

retrieve process lists
list local users
list files in specific folders
list connections to Active Director and RDP

iGuRu.gr The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.107 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).