Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

The macro code is decrypted before the execution with the following custom routine:

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

• C:\Windows\Temp\temp.jpg, containing Javascript code;
• C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
• C:\ProgramData\Microsoft.db, containing the encrypted final payload.

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

• info: used in POST request to send info about the victim;
• live: used in POST request as ping mechanism;
• cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
• res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

• upload: the malware downloads a new file from the specified URL;
• cmd: the malware executes the specified command;
• b64: the malware decodes and executes a base64 PowerShell script;
• muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.