A new MuddyWater Campaign spreads Powershell-based PRB-Backdoor

Trend Micro spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT.

Security experts at Trend Micro have spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater cyber-espionage campaign.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

The attacks have been mistakenly associated with the FIN7 group, when Palo Alto discovered the first campaign reported that a C&C server delivering the FIN7-linked DNSMessenger tool was involved in MuddyWater attacks as well.

The new campaign discovered by the experts presents many similarities with previous ones conducted by the same threat actor, attackers attempted to distribute a backdoor through weaponized Word documents that execute PowerShell scripts.

“In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload.” reads the analysis published by Trend Micro.

“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.”

Unlike previous campaigns, the samples don’t directly download the malicious scripts because they are encoded in the document itself.

The bait document used in the campaign claims to be a reward or a promotion, a circumstance that suggests the hackers are targeting entities in other industries,

Once the victim opens the document, he is enticed into enabling the macro to view its full content.

“Once the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine if either a new document using the same template is opened or when the template itself is opened as a document0.” continues the analysis.

The code executes two PowerShell scripts, with the second is used by attackers to drop various components on the compromised machine.

 

The final payload delivered in the last campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

The backdoor can execute a broad range of commands, including gather browsing history from installed browsers, exfiltrate passwords found in the browser, read and write files, execute shell commands, log keystrokes and capture screenshots.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – MuddyWater, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]