The cyber-espionage group known as MuddyWater has used an updated multi-stage PowerShell backdoor in recent campaigns, Trend Micro’s security researchers report.
First detailed in 2017, the threat actor has been highly active during the last several months of 2018, when it reportedly hit over 130 victims in 30 organizations.
Following Kaspersky’s recent analysis of MuddyWater post-infection tools, Trend Micro now says that the cyber-spies have updated their PowerStats backdoor, and that the new variant has already been observed in a spear-phishing campaign targeting a university in Jordan and the Turkish government.
Leveraging compromised legitimate accounts to trick victims into installing malware, the emails contained a document embedded with a malicious macro to drop a VBE file that holds a block of data containing an obfuscated PowerShell script.
“This block of data will be decoded and saved to the %PUBLIC% directory under various names ending with image file extensions such as .jpeg and .png. The PowerShell code will then use custom string obfuscation and useless code blocks to make it difficult to analyze,” Trend Micro reveals.
The backdoor, which is obtained after the deobfuscation of all strings, gathers operating system (OS) information and saves it to a log file that is then uploaded to the command and control (C&C) server. The malware generates a random GUID number for each infected system and uses it for identification.
“Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process,” the security researchers explain.
The attackers can use the malware to send commands to the victim systems and launch second stage attacks, such as downloading and installing another payload.
In one case, the actor served a second backdoor to the system, with support for commands to take screenshots, execute commands via cmd.exe, and execute PowerShell code via the “Invoke-Expression” cmdlet (if no keyword is received).
For C&C communication, the hackers use PHP scripts with a hardcoded token and a set of backend functions, including sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).
Campaigns MuddyWater launched since the beginning of this year have shown changes in tactics from the threat actor, such as the adoption of new delivery methods and dropped file types. The payloads and publicly available post-exploitation tools have been updated as well.
Trend Micro observed the attackers dropping the .NET backdoor SHARPSTATS in January, only to switch to the Delphi-based DELPHSTATS the same month. In March and April, the actor was using the heavily obfuscated POWERSTATS v2, only to switch to POWERSTATS v3 in May.
Additionally, the threat actor employed multiple open source post-exploitation tools, including CrackMapExec, ChromeCookiesView, chrome-passwords, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MZCookiesView, PowerSploit, Shootback, and Smbmap.
In the campaign that delivered the EmpireProject stager, the attackers leveraged template injection and abused the CVE-2017-11882 vulnerability, the security researchers reveal. As part of the campaign delivering the LaZagne credential dumper, the attackers patched the malware to drop and run POWERSTATS in the main function.
“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes.