New Malware Strain Spreads Through Documents

MuddyWater malware is believed to be once again targeting organizations across the world.  This malware was first reported when it targeted the Saudi government back in 2017 and was reported to have also targeted other organizations in the US, Turkey, and other Middle Eastern countries.

Although it is unclear who is behind these attacks, there is some attribution information that links these attacks with the FIN7 threat group that has been known to be a financially motivated. MuddyWater itself is document-based malware, which is often spread by phishing campaigns specifically targeting unaware users.

 

The malware leverages Microsoft Office documents to deliver macro-enabled code execution after tricking unaware users into opening the file. The infection chain starts with the attackers enticing a victim to open a Microsoft Office file with macros enabled. Once this happens, an initial VBScript is automatically executed which then executes other PowerShell scripts.

 

Once the PowerShell scripts execute, a backdoor payload runs on the victim machine, which automatically calls home and waits for commands from the attackers. Interestingly, the most noteworthy enhancements between the malware strains look to be in the obfuscation techniques. The malware starts with a VBScript that uses character substitution to initially hide its direct intentions when manipulating images shown in the document body, then performs the initial PowerShell script execution. The initial PowerShell  Script “invoker.ps1”, then calls other data within the document and performs a cryptographic decoding to build other PowerShell scripts that then have the ability to execute the actual payload
“PRB-Backdoor” within the file. Once PRB-Backdoor is executed it attempts to communicate with its Command- and-Control server, hxxp://outl00k[.]net to send and receive commands. According to malware researchers there have been over ten possible specific types of commands and functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more interesting capabilities are gathering system information, file interaction, key- loggers, and stealing passwords.

 
Although this malware is not overly sophisticated, it does present us a good opportunity to learn more about the tools, techniques, and tactics of our adversaries. To combat such types of attacks, users should be cognizant of suspicious emails and cautious of file attachments Additionally, there exists others tools that can help defend an organization's infrastructure from these types of attacks including hosted email security, deep packet inspection by network perimeter devices, and customized end point protection.

Sources

·         https://blog.trendmicro.com/t rendlabs-security- intelligence/another-potential- muddywater-campaign-uses- powershell-based-prb- backdoor/

·         https://securityaffairs.co/word press/65663/apt/muddywater- attacks.html

·         https://sec0wn.blogspot.com/ 2018/05/prb-backdoor-fully- loaded-powershell.html