MuddyWater APT group updated its multi-stage PowerShell backdoor Powerstats

Pierluigi Paganini June 11, 2019

The MuddyWater cyber espionage group has used an updated multi-stage PowerShell backdoor in recent cyber attacks.

Security experts at Trend Micro report that the MuddyWater APT group (aka SeedWorm and TEMP.Zagros), has used an updated multi-stage PowerShell backdoor in recent cyber espionage campaigns.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

The threat actors continue to evolve their TTPs, a few weeks ago Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group and highlighted the usage of new anti-detection techniques.

Now, according to Trend Micro, the APT group has updated its multi-stage PowerStats backdoor, the experts already observed a new variant in spear-phishing attacks aimed at a university in Jordan and the Turkish government.

“One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.” reads the analysis published by Trend Micro.

“Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3.”

MuddyWater hackers used some compromised legitimate accounts to send out spear-phishing message containing a document embedded with a malicious macro.

MuddyWater email

The macro was used to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

The block of data will be decoded and saved to the %PUBLIC% directory with various names and image file extensions such as .jpeg and .png. The attackers’ PowerShell code implements a custom string obfuscation and junk stubs of code to make it difficult to analyze.

Once all the strings are deobfuscated, a final backdoor code is revealed. The malicious code backdoor first gathers operating system (OS) information and save the result to a log file that is sent back to the C&C server.

“Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server.” continues the analysis. “If such a file is found, it will be downloaded and executed using the Powershell.exeprocess.”

The hackers can launch a second state attack by sending specific commands to the backdoor. The malicious code is also able to install and execute other payloads, including another backdoor analyzed by Trend Micro that supports several commands such as taking screenshots, and executing commands via the cmd.exe binary.

The backdoor is also able to execute PowerShell code via the “Invoke-Expression” cmdlet.

The hackers connect to the C2 with PHP scripts that have a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Trend Micro observed an evolution of the malicious code used by the MuddyWater group, in March and April, the hackers were using the heavily obfuscated POWERSTATS v2, but in May they deployed the new/ POWERSTATS v3 in May. 

The following table reports some of the campaigns observed by Trend Micro in H1 2019 with associated payloads and publicly available post-exploitation tools:


Discovery Date Method for dropping malicious codeType of files droppedFinal payload
2019-03MacrosBase64 encoded, BATPOWERSTATS v2
2019-04Template injectionDocument with macrosPOWERSTATS v1 or v2
2019-05MacrosVBEPOWERSTATS v3

It is interesting to note that the MuddyWater attackers are not using zero-days exploits in their campaigns, anyway the threat actors continue to evolve their TTPs to avoid the detection.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – MuddyWater, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment