It is highly recommended to implement and maintain good email security products to help detect phishing emails and malicious attachments. It is also recommended to implement an attachment file type block list, if possible, to help prevent attachments with specific file extensions from being delivered to end users. In this scenario, the threat actors used “.docm” files to deliver their malicious payload, which for most organizations would likely be considered an abnormal or suspicious attachment type for incoming emails. By maintaining a strong security posture at the email level, an organization can help prevent these malicious payloads from even reaching the end user. In cases where an email does make it through and an end user executes it, it is recommended to have good security endpoint controls, such as an EDR, on all devices in the environment. While this backdoor is currently undetected, security controls will eventually create signatures for it, thus potentially allowing for the endpoint control to prevent its execution. In cases where prevention does not occur, maintaining strong detections is highly recommended to alert analysts to a potential infection. The infection payload and backdoor itself exhibit abnormal behavior that would make for good detection opportunities on a system. Activity like Word creating a VBS or PowerShell script, a VBS script creating a scheduled task meant to look like a Windows update, and PowerShell making outbound network connections that match C2 beaconing behavior are all activities that would be considered suspicious on and endpoint. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://www.bleepingcomputer.com/news/security/hackers-use-new-stealthy-powershell-backdoor-to-target-60-plus-victims/
SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor
