In a recent finding, researchers from cybersecurity firm Cybereason have stumbled upon a new form of Windows backdoor that is unusually stealthy and potentially difficult to detect.
The backdoor, which the researchers have dubbed Ropcom, was discovered as part of a long-running attack campaign. This campaign, which was the work of an advanced threat actor, has been used to target organizations in the Middle East since at least 2012.
The new backdoor, which is described as “extremely stealthy and effective,” is essentially an intricate combination of two legitimate Windows applications—netsh, a command line application used for network configuration, and psexec, a tool used to remotely execute commands.
Researchers believe that this two-stage backdoor is so stealthy because it can bypass several anti-virus products and other security measures by hiding in plain sight within a system. Despite the plain sight strategy, researchers have been able to detect the malicious activity by performing analysis on the backdoor components.
By using the netsh and psexec combination, the attack was able to execute malicious code without making any changes to the system files, making it difficult for security products to detect.
Moreover, the attack was so powerful that it was able to gain complete control over the victim’s computer, allowing the attacker to install, delete, and modify any file on the system.
So far, the researchers have identified several victims of this attack, though it is unclear what the attackers were trying to achieve. However, the researchers speculate that it could have been a targeted attack since all of the victims are based in the same region.
The findings of this new backdoor, which has yet to be named, are likely to send ripples throughout the security community as the backdoor is believed to be the work of a sophisticated group of attackers.
Given the complexity and possibility of being used in other attacks, the researchers have urged organizations to pay close and special attention when looking for signs of malicious activity. With this new backdoor, they advise that organizations should take additional security measures to ensure that they are not vulnerable to similar attacks.
Hey Subscribe to our newsletter for more articles like this directly to your email.