A recently discovered campaign shows that the cyber-espionage group MuddyWater has updated tactics, techniques and procedures (TTPs) to evade detection, Talos’ security researchers report.
MuddyWater was first detailed in 2017 and has been highly active throughout 2018. The cyber-spies have been focused mainly on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and nearby regions (Azerbaijan, Pakistan and Afghanistan).
The recently observed campaign, which Talos calls BlackWater, aims to install a PowerShell-based backdoor onto the victim’s machine, for remote access. Analyzed samples show that, while the actor made changes to bypass security controls, the underlying code was unchanged.
Observed modifications include the use of an obfuscated VBA script to establish persistence as a registry key and trigger a PowerShell stager. The stager would connect to the attacker’s server to obtain a component of the open-source FruityC2 agent script to further enumerate the host machine.
The gathered data is then sent to a different command and control (C&C) server, in the URL field, in another attempt to make host-based detection more difficult. Moreover, recent samples show that the actor aimed to replace some variable strings, likely in an attempt to avoid signature-based detection.
MuddyWater-associated samples observed in the February – March timeframe revealed that, after achieving persistence, the actor used PowerShell commands for reconnaissance. The samples also contained the IP address of the C&C server.
These components were found in a Trojanized attachment sent to the victim, which allowed security researcher to easily analyze the attacks by obtaining a copy of the document.
Activity observed in April, however, “would require a multi-step investigative approach,” Talos noted. A malicious document used last month and believed to be associated with MuddyWater contained a password-protected and obfuscated macro titled "BlackWater.bas".
The macro contains a PowerShell script to persist in the "Run" registry key, and call the file “SysTextEnc.ini” every 300 seconds. The clear text version of the file, the security researchers say, appears to be a lightweight stager.
The stager would connect to a C&C server at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt, Talos says, closely resembles a PowerShell agent previously used by the group. It only shows small changes, likely made to avoid detection.
PowerShell commands derived from FruityC2 were then used to call Windows Management Instrumentation (WMI) and gather system information such as operating system name, OS architecture, operating system’s caption, domain and username, and the machine’s public IP address.
The only command that did not call WMI would attempt to obtain the security system’s MD5 hash, which was likely used to uniquely identify the machine in case multiple workstations were compromised within the same network.
“Despite last month's report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater's history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group,” Talos concludes.