⚠️ Overview

PowerShell Web Backdoor (MITRE ATT&CK ID: S0580) is a lightweight backdoor malware written entirely in PowerShell, first documented by JPCERT/CC in 2016 in connection with the APT10 (Tick) threat group. It is categorized as a remote access trojan (RAT) that relies on HTTP/HTTPS for command-and-control (C2) communication, typically deployed as a second-stage payload following initial compromise.

🔧 Technical Capabilities

The backdoor establishes C2 by making periodic HTTP GET or POST requests to attacker-controlled web servers, often using benign-looking User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36" to blend with normal traffic. It supports commands for file upload/download, shell execution, process manipulation, and registry operations, all transmitted as base64-encoded data in URL parameters or POST bodies. Persistence is achieved through scheduled tasks (e.g., schtasks), registry Run keys, or by abusing Windows services. Evasion techniques include PowerShell script obfuscation using substitution algorithms (e.g., base64, XOR), running entirely in memory without dropping executables, and disabling Windows Event Logging (via wevtutil) to hinder forensic analysis. Propagation is manual after initial access, often via spear-phishing emails delivering malicious Office documents that exploit CVE-2017-11882 (Equation Editor) or xls macros.

📜 History & Notable Incidents

First observed in 2016 by JPCERT/CC during attacks against Japanese manufacturing and technology firms, the malware has been tied exclusively to APT10 (also tracked as Stone Panda or Red Apollo). In 2018, Unit 42 (Palo Alto Networks) reported a campaign where PowerShell Web Backdoor was used to exfiltrate intellectual property from aerospace and defense contractors. No public law enforcement actions have been taken against the operators, and the backdoor remains active in targeted campaigns as of 2024.

🔍 Detection Indicators

Common network IOCs include HTTP requests to domains mimicking legitimate services (e.g., microsoft-update[.]com) with URIs like /update.php?id= and User-Agent strings matching those above. File hashes are rarely static due to obfuscation, but specific PowerShell scripts have been shared publicly in JPCERT/CC reports (e.g., SHA256: c1e8a3b...9f2d4). Registry persistence keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost. Mutex names such as "GlobalPSWD_Backdoor" have been observed.

☠️ Risk & Impact

The backdoor enables adversaries to maintain long-term access for data exfiltration, with confirmed theft of proprietary source code and engineering blueprints from Japanese and U.S. companies in the semiconductor, automotive, and aerospace sectors. Financial losses are difficult to quantify but include remediation costs, IP loss, and operational disruption. The primary impact is espionage rather than direct financial extortion.

🛡️ Mitigation

Defenders should enable PowerShell script block logging (ScriptBlockLogging) and audit collection, restrict execution policy to AllSigned or RemoteSigned, deploy application whitelisting for powershell.exe, and block outbound connections to known malicious domains. Sigma rules for detecting the backdoor’s HTTP patterns are available from SOC Prime and other threat-intelligence platforms.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.