Security researchers from SafeBreach recently discovered a previously unknown PowerShell backdoor in the Windows. Uses a malicious Word document for entrytreatment of PowerShell scripts.
The backdoor can affect users of Active Directory and remote desktops.
The details are in the publication SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor. The backdoor has some special features characteristics.
On August 25, 2022, a malicious Word Apply Form.docm document was first distributed. The Word document contained macro code that launched an unknown PowerShell script.
The macro was downloading it archive updater.vbs on the victim's system and was creating a Windows scheduled task pretending to be part of a Windows update.
This scheduled task then ran the updater.vbs script from the “%appdata%\local\Microsoft\Windows” folder. However, this process requires administrative permissions.
The updater.vbs script then ran a PowerShell script.
Before executing the scheduled work, two PowerShell scripts named Script.ps1 and Temp.ps1 are created. The contents of the PowerShell scripts are stored in text fields within the Word document and in the appdata directory that is created. Both scripts are not detected as malicious by Virustotal.
The first PowerShell Script1.ps1 connects to a C2 server to receive commands to execute. Parses the commands and runs Temp.ps1 for each command with the c parameter.
Security researchers were able to run specific commands on victims' systems and were able to:
retrieve process lists
list local users
list files in specific folders
list connections to Active Director and RDP