[Cyware] Walmart Discovers New PowerShell Backdoor Linked to Zloader Malware

Summary: A newly discovered PowerShell backdoor, linked to the Zloader/SilentNight malware, has been identified by Walmart’s Cyber Intelligence Team, showcasing advanced obfuscation techniques and potential for further malicious activities. This malware variant is part of a broader trend of advanced threat actors shifting towards scripting languages for their backdoors.

Threat Actor: Unknown | unknown
Victim: Walmart | Walmart

Key Point :

  • The PowerShell backdoor is designed for reconnaissance and deploying additional malware, including a new variant of Zloader.
  • It employs sophisticated obfuscation techniques, making detection challenging and allowing it to evade traditional security measures.
  • The malware has similarities to a previously identified PowerShell malware called PowerDash, particularly in its data collection and command execution methods.
  • Walmart’s findings highlight a trend of advanced threat actors utilizing scripting languages for backdoor development.
  • PowerShell is increasingly exploited by malware families, with over 90% of them using it to evade detection and perform malicious tasks.

An unknown PowerShell backdoor has been discovered alongside a new variant of the Zloader/SilentNight malware, Walmart’s Cyber Intelligence Team has reported.

The PowerShell backdoor has been constructed to provide threat actors with further access via recon activity and to deploy other malware samples, including Zloader.

The backdoor also utilizes sophisticated obfuscation techniques. It was potentially utilized alongside the new Zloader variant, the researchers said.

There is no indication the malware combination was targeted at Walmart. The retail giant’s cyber intelligence team revealed it made the discovery while proactively investigating new threats.

“The threat actor involved has links to Zloader/SilentNight, which CISA has linked to Black Basta publicly, so the aim would be breach and ransom activities,” a Walmart spokesperson told Infosecurity.

Zloader began life as a banking Trojan, but has undergone significant development over recent years, adding new functionality. The malware has been linked to a number of Russian ransomware-as-a-service groups over the years, including Ryuk, DarkSide and Black Basta.

Attackers Focusing on Obfuscation

Walmart told Infosecurity that the unknown PowerShell backdoor has some overlap with a previously observed PowerShell malware called PowerDash, particularly the way they both build the system data to send to the command and control (C2) infrastructure and how they use the same obfuscation techniques to hide the more important components of the backdoor.

PowerDash was discovered in 2023, has the functionality to collect information about the compromised system, forward it to the attackers’ controlled C2 servers and await for further commands.

Walmart’s Cyber Intelligence team noted that the newly discovered PowerShell backdoor has very few samples available on the VirusTotal detection service, making detection more challenging.

“Incidentally, the samples don’t appear to detonate very well in most sandboxes which also helps them slip under the radar for longer,” the spokesperson added.

Walmart also observed that the configuration of the backdoor fits into a broader trend of a switch to scripting languages for backdoors by some of the more advanced threat actors.

“The key advice would be verifying your internal pivoting detections such as the common hardcoded strings that threat actors and malware use for gathering information about the infected organization,” the spokesperson commented.

How the Unknown PowerShell Backdoor Operates

The researchers began by analyzing the following PowerShell file:

  • Compilation Timestamp 2023-05-29 16:24:50 UTC MD5: 83aa432c43f01541e4f1e2f995940e69 SHA-1: 931b6fd3e7ee5631fbc583640805809d9f2acc58 SHA-256: 82f33adfecd67735874cdc9c2bfd27d4b5b904c828d861544c249798a3e65e7e

They then discovered two more files matching the same characteristics, which are .NET packed by AgilDotNet:

  • Compilation Timestamp 2023-05-30 10:31:17 UTC MD5: 41563d1f34b704728988a53833577076 SHA-1: 72a572ce8247f80946e71f637c3403228543d9a3 SHA-256: 66a69d992a82681ee1d971cc2b810dd4b58c3cfd8b4506b3d62fe1e7421fb90b
  • Compilation Timestamp 2023-05-30 10:31:14 UTC MD5: e447362fb2686062a3dfc921c10dd6c7 SHA-1: 544599ef72cbd97fe50e4169c8401270ff3b917b SHA-256: b513c6940ed32766e1ac544fc547b1cb53bc95eced5b5bcc140d7c6dce377afb

After analyzing the binary, the backdoor functionality was unpacked and decrypted by the team. This uncovered a hardcoded filename within the PowerShell script.

Read now: “PowerDrop” PowerShell Malware Targets US Aerospace Industry

Checks are performed on the PowerShell script. If these fail, the malware will move itself and uninstall all the previous data. If the checks pass, it will set up a number of variables in the script.

This includes writing a VB downloader to disk alongside the executable file. The downloader contains a double base64 encoded URL that is decrypted to reveal the downloader site.

Afterwards, it executes a hardcoded curl command, which will download and execute files from the encoded URL. A check is performed if it is already running before performing the command. Tasks are installed based on a hardcoded name with a random GUID.

At this point, the script sets up a run key, and performs an admin and internet connectivity check.

The Walmart team found “heavily obfuscated” sections of code inside the script and were able to extract the code blobs and perform an analysis on them.

The first blob of code was an anti-virtual machine (VM) check, used to thwart attempts at analysis.

The next block involved the building of the information the bot will send off to the C2 along with response to commands issued. Encryption is performed using AES in CBC mode.

This enables recon to be performed, additional machine information to be gathered, and all the data that will be sent to the C2 during its initial run to be encoded.

SonicWall’s 2024 Mid-Year Cyber Threat Report found that PowerShell – a legitimate Windows automation tool used by developers – is now exploited by over 90% of malware families.

PowerShell scripts are used for various malicious tasks, including to evade detection and to download additional malware.

Source: https://www.infosecurity-magazine.com/news/walmart-powershell-backdoor-zloader