Cybersecurity researchers from SafeBreach Labs detected the backdoor which, when executed properly, gives attackers remote access to compromised endpoints. From there, the attackers could launch all kinds of stage-two attacks, from infostealers and ransomware.
The unknown threat actor had created a security gem based around a weaponised Word document, called “ApplyForm[.]docm”. It carried a macro which, if activated, launched an unknown PowerShell script. The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows. Updater.vbs would then run a PowerShell script that would give the attacker remote access.
Antivirus solutions could not identify the file as malicious because the malware generated two PowerShell scripts - Script.ps1 and Temp.ps1. The contents are hidden and placed in text boxes inside the Word file, which is then saved in the fake update directory. Script.ps1 reaches out to the command & control server to assign a victim ID, and to receive further instructions. Then, it runs the Temp.ps1 script, which stores information, and runs the commands.
They would have gotten away with it if they had not issued victim IDs in a predictable sequence, allowing researchers to listen in on the conversations with the C2 server.
The malicious Word document was uploaded from Jordan in late August this year, and has compromised approximately one hundred devices so far, usually belonging to people looking for new employment opportunities.