Cybersecurity firm SafeBreach has issued a warning about a new PowerShell backdoor that disguises itself as part of the Windows update process to remain fully undetected.
The backdoor is distributed through a malicious Word document that appears to be linked to a spear-phishing lure based on a LinkedIn job application and is controlled by a knowledgeable, unidentified threat actor. The document’s macro code drops a PowerShell script onto the victim’s computer when it is opened. It then creates a scheduled task that appears to be a Windows update and runs the script from a phony update folder.
The script was created to run another PowerShell script, but two additional scripts are installed on the system before the scheduled task is carried out.