Fraud Management & Cybercrime
Campaign Related To Linkedin Job Application Spearphishing Lure
A previously unknown PowerShell backdoor disguises itself as part of the Windows update process. The backdoor scripts eluded detection by security vendors scanners tested by VirusTotal and appears to have infected at least 69 victims, researchers say.
See Also: Live Panel Tomorrow | A Better Way to Approach Data Backup and Recovery
The malware appears designed mainly for data exfiltration, say researchers from SafeBreach Labs, which spotted the backdoor.
Another researcher in August apparently also spotted it, tweeting screenshots of its activities.
“We strongly recommend that all security teams use the indicators of compromise we identified,” Tomer Bar, director of security research at SafeBreach told Information Security Media Group.
The firm’s writeup shows the unique attack starting with a malicious Word document containing a macro code. The file metadata shows the document was related to a LinkedIn-based spearphishing campaign purporting to send victims a job application.
In the next stage, the macro drops a VBScript that crates a scheduled task pretending to be part of a Windows update. A file named
updater.vbs executes two PowersShell scripts: One for connecting with the command and control servers, and another for executing the commands and uploading stolen data.
Both of scripts are obfuscated and, when SafeBreach ran them through VirusTotal, not flagged as malicious.
The sophisticated coders behind the backdoor did make a mistake, SafeBreach says: They used predictable victim IDs. “When we first tested it, we got ID number 70, which means there were probably 69 victims prior to our test.” That predictability allowed researchers to develop a script pretending to be each victim and see the results.
The commands downloaded and executed by the scrips included uploading to the attacker’s server a list of active processes, enumerate local users, list files, and even delete them.