Skip to main content

POWERSHOWER Backdoor

POWERSHOWER is a newly observed PowerShell-based backdoor believed to have been created by the Inception group, an advanced persistent threat targeting government organisations throughout Europe.
Threat ID:
CC-2773
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Spear phishing
Published:
8 November 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

POWERSHOWER is a newly observed PowerShell-based backdoor believed to have been created by the Inception group, an advanced persistent threat targeting government organisations throughout Europe.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

Inception uses a complex two stage spear phishing process to deliver POWERSHOWER. Initially, a reconnaissance email with a Microsoft Word attachment is sent to the user. This attachment contains a Microsoft Word Remote Template, a feature that allows Word to remotely load templates for use in a document. When opened, the attachment contacts a command and control (C2) server which will then send a secondary email containing a malicious RTF document with exploits for two Word vulnerabilities. These exploits will then execute a VBScript script that downloads and installs POWERSHOWER.

Once installed, POWERSHOWER will create registry entries to maintain persistence and ensure future PowerShell instances appear off-screen by default, before terminating Word processes and removing all files and registry entries associated with its installation. It will then send system information to the C2 server and await further instructions.

For further information

Remediation steps

Type Step
Microsoft have previously released updates to address both CVE-2012-1856 and CVE-2017-11882. Users and administrators are encouraged to apply these updates immediately if they have not already done so. Additionally, to prevent and detect an infection, ensure that:
  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, anti-virus and other security products are kept up-to-date.
  • Regular anti-virus and security scans are performed on your organisation’s estate.
  • All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from affected devices should be reset on a clean computer.
  • Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 12:52 pm