Nearly 100 victims are believed to have been impacted by a new recently identified fully undetectable Windows PowerShell backdoor, The Register reports.
Threat actors behind the FUD backdoor have launched a phishing campaign impersonating a LinkedIn-based job offer, which includes a malicious Word document with a macro, reported SafeBreach Labs researchers.
The report showed that the macro facilitates the creation of a scheduled task posing as a Windows update that will then prompt the execution of the updater.vbs script that runs a PowerShell script resulting in the opening of a remote-control backdoor. Two PowerShell scripts are created by the malware, with the scripts' content obfuscated to prevent detection in VirusTotal, according to SafeBreach Director of Security Research Tomer Bar.
SafeBreach noted that the systems with disabled macros could be protected from such an attack.
"But if the threat actor uses a different attack vector (exploits for example instead of macros), the FUD PowerShell malware would work and spy on the victim," said a SafeBreach spokesperson.