Malware researchers at Trend
Micro have discovered a Powershell-based backdoor that is very similar to a
malware used by MuddyWater
The first MuddyWater campaign
was observed in
late 2017, then researchers from Palo Alto Networks were investigating a
mysterious wave of attacks in the Middle East.
The experts called the campaign
‘MuddyWater’ due to the confusion in attributing these attacks that took place
between February and October 2017 targeting entities in Saudi Arabia, Iraq,
Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United
States to date.
used PowerShell-based first stage backdoor named POWERSTATS, across the
time the hackers changed tools and techniques.
In March 2018, experts at FireEye
uncovered a massive phishing campaign conducted by TEMP.Zagros group
(another name used by the experts to track the MuddyWater),
targeting Asia and Middle East regions from January 2018 to March 2018.
In the latest attacks detected by
Trend Micro, threat actors used TTPs compatible with MuddyWater, the
malicious code was uploaded to Virus Total from Turkey. The attackers used
decoy documents that would drop a new PowerShell backdoor that is similar to
documents are named Raport.doc or Gizli Raport.doc (titles
mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli
Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all
of which were uploaded to Virus Total from Turkey.“statesTrend Micro.
analysis revealed that they drop a new backdoor, which is written in PowerShell
known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS,
the command and control (C&C) communication and data exfiltration in
this case is done by using the API of a cloud file hosting provider.”
The new backdoor uses the API of
a cloud file hosting provider to implement command and control (C&C)
communication and data exfiltration.
The weaponised documents contain
images showing blurry logos belonging to some Turkish government organisations,
they trick victims into enabling macros to display the document properly.
The macros contain strings
encoded in base52, a technique that is not common and that was used by
MuddyWater in past attacks. Once enabled, the macros will drop a .dll file
(with a PowerShell code embedded) and a .reg file into %temp%directory.
The PowerShell code has several
layers of obfuscation, the backdoor initially collects the system information
and concatenates various pieces of information (i.e. OS name, domain name,
user name, IP address) into one long string.
For communication, the malware
uses files named <md5(hard disk serial number)> with various
extensions associated with the purpose of the file:
§.cmd – text file with a command
§.reg – system info as generated
by myinfo() function, see screenshot above
§.prc – output of the executed
.cmd file, stored on local machine only
§.res – output of the executed
.cmd file, stored on cloud storage
the older version of the MuddyWater backdoor and this recent backdoor, these
files are used as an asynchronous mechanism instead of connecting directly to
the machine and issuing a command.” continues the experts.
malware operator leaves a command to execute in a .cmd file, and comes back
later to retrieve the .res files containing the result of the issued command.”
The malware supports various
commands including file upload, persistence removal, exit, file download, and
Experts concluded that the
attacks aimed at Turkish government organisations related to the finance
and energy sectors that were also hit by MuddyWater in the past.
yet another similarity with previous MuddyWater campaigns, which were known to
have targeted multiple Turkish government entities.” concludes Trend
group is responsible for this new backdoor, it shows how they are improving and
experimenting with new tools,” Trend Micro concludes.