A previously unmentioned backdoor was discovered by experts from SafeBreach. The malware is extremely stealthy, as it masquerades as a Windows update process.
According to Tomer Bahr, head of the research team at SafeBreach, behind the stealthy malware and its C&C infrastructure is an extremely well-prepared group that has already attacked about 100 victims.
The chain of attacks by an unknown group begins with a Word document (VirusTotal), which was uploaded to the network from Jordan on August 25, 2022. The document's metadata suggests that the hackers are primarily targeting LinkedIn users.
If the victim opens the document, the PowerShell script (Script1.ps1) will be executed on their computer using the macro code embedded in the file.
The PowerShell script is needed to connect to the C&C server and receive commands that will be run by the second script (temp.ps1).
However, the hackers made a mistake in their script, with the help of which the researchers were able to reconstruct the commands sent by the server. These included commands to run whoami, list files in specific folders, retrieve a list of running processes, and remove files from users' shared folders.
Comments 0