Spear-Phishing Attack Installs Two PowerShell Backdoors on Victims’ Machines

An ongoing spear-phishing campaign is using malicious Microsoft Word documents to install two PowerShell backdoors on victims’ machines.FireEye as a Service (FaaS) first detected the operation in February 2017. The campaign appears to be targeting individuals who’ve played a part in submitting financial statements and other documents to the U.S. Securities and Exchange Commission (SEC). Sometimes, those documents mention participating individuals by name.Each attack email contains a spoofed sender email that uses the official SEC domain “sec.gov”. The emails also come with an Microsoft Word attachment whose name indicates the SEC has updated Form 10-K, an annual report required by the U.S. Securities and Exchange Commission because it gives a comprehensive overview of a company’s financial performance.

Example phishing email sent in the campaign. (Source: FireEye)Not surprisingly, the attachment isn’t what it says it is. FireEye threat researchers Steve Miller, Jordan Nuce, and Barry Vengerik elaborate on this point in a blog post:

Leave a Reply