The PRB-Backdoor is a fascinating piece of malware that is aimed to run on the victim’s device and gather information, steal passwords, log keystrokes and perform many other functions.
Cybersecurity researchers recently detected a new PowerShell backdoor that can steal information and execute various commands on the infected machines.
The new threat is called PRB-Backdoor, and it is distributed via a Word document with malicious macros.
The document is named “Egyptairplus.doc” and was initially responsible for the delivery of a malware linked to the MuddyWater campaigns targeting the Middle East.
The malware analysis of the document’s macro revealed a function called Worker() which is designed to appeal multiple other features embedded in the document, which ultimately run a PowerShell command.
It is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose company’s network to reveal the most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
First, the command would look in the document for a piece of embedded data that is Base64 encoded and decodes it. The decoded data represents an obfuscated PowerShell script.
By replacing iex with Write-Output and running this code will result in a second layer PowerShell script that has similarities with MuddyWater code due to the use of the Character Substitution functions. Further analysis of the code revealed an Invoker.ps1 script designed to decrypt the main backdoor code. In the end, the fully decoded backdoor contains over 2000 lines of code.
The backdoor has strong anti-virtualization measures implemented because the execution of the sample in a sandbox environment did not reveal network communication. But by looking deep into the code researchers did find a variable that points to the primary domain that the backdoor communicates with to retrieve commands: outl00k[.]net.
Cybersecurity experts also discovered that the email address used to register the domain was used for the domain LinLedin[.]net. Functions which are related to initial communication and registration with the command and control (C&C) server, along with a function designed to retrieve the browsing history from different browsers, including Chrome, Internet Explorer, and Firefox. Other functions revealed that the new backdoor is capable of stealing passwords, write files to disk, read files, update itself, launch a shell, log keystrokes, take a screenshot of the screen, get the system info, and more.
Because we want you to stay safe and secured in front of vulnerabilities like this, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for windows or antivirus for mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.