Here is some research by Tomer Bar, Director of Security Research at SafeBreach on how they detected some backdoor malware, which was originally designated fully undetectable (FUD) powershell backdoor, but obviously now it is detected.
It all starts with a malicious Microsoft Word document, that includes a macro that starts a powershell script. The Word file has the very social engineering/phishing email name of “Apply Form.docm”.
SafeBreach Uncovers Fully Undetectable Powershell Backdoor | New Research
What you should take away from this
Defending against phishing and social engineering attacks, at the user level, starts with good training and awareness. So two things to notice here that could stop you and your organisation falling victim to this attack:
- If this document gets to you via email, are you expecting this type of document from the sender of the email?
- The file is a .docm – a Word macro file, if a real person was sending you this, it would probably be a .docx file – just something to make you suspicious.
Could you or your team spot this type of attack?
If they spot it, do they know what to do?
If they do not spot it and open the Word document and then notice something is wrong, do they know what to do and who to contact?
If you cannot answer these questions, in a way that means your organisation is NOT infected with malware, RATs, backdoors, ransomware etc. etc. etc., why not go over and have a look at our online cyber security awareness training website, CyberAwake.
We designed CyberAwake to be businesslike (sorry no cutesy, friendly animations) with training videos and online tests, sized so your team could complete the sections over a cup of coffee, dipping in and out as time permits. We also keep the material up to date – and for those that want to, you can print out a certificate.
But the most important thing is that you and your team are more “threat actor aware” and safer from cyber security incidents.
Clive Catton MSc (Cyber Security) – by-line and other articles