Fully Undetectable PowerShell Backdoor Found by Security Researchers

[frase]

SafeBreach Labs researchers recently uncovered a new fully undetectable (FUD) PowerShell backdoor that uses a novel approach to disguise itself as part of the Windows update process.

Fully Undetectable PowerShell Backdoor Found by Security Researchers

 

[phaZed]

Before everyone gets in a tizzy about "Fully Undetectable" backdoors.. you can pretty much make one in an instant, at will, as many times as you want - with a single linux command.

The author of the article is a moron, at least when it comes to cyber security.
"a novel approach to disguise itself as part of the Windows update process."

What? Making a folder and making a Scheduled task - novel? More like everyday-common.

You can write your own Python Fud in an hour.

 

[britechguy]

I also thought it was interesting that it was clearly stated that it was a DOTM (macro enabled document) involved.

Who in the h*ll ever opens macro enabled word documents that come from anyone other than a known and very trusted source. And even for those who do, who has the running of macros enabled as their default setting in MS-Word (it doesn't come with this enabled).

This is another of those, "How many basic rules must you ignore, and stupid things must you do as a result, to trigger this?"

My clients might be foolish enough to open a DOTM file because they've never, ever dealt with them at all. But all of them would have Word in its default state where no macros are run. In a business setting, I'd hope that there's a LOT more sophistication about this sort of threat in general.

 

[Sky-Knight]

@britechguy If Office is current, it's basically impossible to open a macro laden document, even if you want it to.

 

[Markverhyden]

Who in the h*ll ever opens macro enabled word documents that come from anyone

The FOMO obsessed.

And FUD, as I was taught years ago, stands for Fear, Uncertainly, and Doubt.

 

[nlinecomputers]

@britechguy If Office is current, it's basically impossible to open a macro laden document, even if you want it to.

This. I recently had that update blow up one office that I service. They get LOTS of documents in email and outlook will no longer open them directly anymore. You have to save them to your PC and then grant permission to open it. Major PITA change from their original workflow but I told them they had to grow a set and get used to it.

 

[britechguy]

The FOMO obsessed.

AKA, the flatly stupid.

I was working in telecomm in the 1990s an even way back then, we were being instructed never to open a macro enabled Office document unless it came to us from a known (typically in-house) trusted source. And even then, very few ever came in.

Anyone in a business setting that even attempts to open a macro enabled Word document from an unknown source deserves the disaster they receive, then to be fired.

There really are things you JUST DO NOT DO. And if you do them, the consequences should be swift and severe.

 

[britechguy]

You have to save them to your PC and then grant permission to open it.

It's funny, but saving attachments first has been my personal standard workflow no matter where I work (or at home) for as long as I've been using the computer.

Word 2016 will open any of them, but if there are macros they won't run anyway because automatic running of macros is not supported in the default state (and maybe not at all).

 

[xrobwx71]

This. I recently had that update blow up one office that I service. They get LOTS of documents in email and outlook will no longer open them directly anymore. You have to save them to your PC and then grant permission to open it. Major PITA change from their original workflow but I told them they had to grow a set and get used to it.

(Desktop) Outlook won't open jpgs, or any other attachment either. You must download them and then open them. @britechguy This has also been my normal workflow for years even if "I" sent the attachment. I cannot remember a time when I double-clicked an attachment in an email to open it.