New Malware Strain Spreads Through Documents

MuddyWater malware is believed to be
once again targeting organizations across the world.  This malware was first reported when it
targeted the Saudi government back in 2017 and
was reported to have also targeted other organizations in the US,
Turkey, and other Middle Eastern countries.

Although it is unclear who is behind these attacks,
there is some attribution information that links these attacks with the FIN7
threat group that has been known to be a financially motivated. MuddyWater
itself is document-based malware, which is often spread by phishing campaigns
specifically targeting unaware users.


The malware leverages Microsoft Office documents to deliver macro-enabled
code execution after tricking unaware users into opening the file. The
infection chain starts with the attackers enticing a victim to open a Microsoft
Office file with macros enabled. Once this happens, an initial VBScript is
automatically executed which then executes other PowerShell scripts.


Once the PowerShell scripts execute, a backdoor
payload runs on the victim machine, which automatically calls home and waits
for commands from the attackers. Interestingly, the most noteworthy
enhancements between the malware strains look to be in the obfuscation
techniques. The malware starts with a VBScript that uses character substitution
to initially hide its direct intentions when manipulating images shown in the
document body, then performs the initial PowerShell script execution. The
initial PowerShell  Script “invoker.ps1”, then calls other data within
the document and performs a cryptographic decoding to build other PowerShell
scripts that then have the ability to execute the actual payload

“PRB-Backdoor” within the file. Once PRB-Backdoor is
executed it attempts to communicate with its Command- and-Control server,
hxxp://outl00k[.]net to send and receive commands. According to malware
researchers there have been over ten possible specific types of commands and
functionality discovered between the malware and the attackers over the Command-and-Control channel. Some of the more
interesting capabilities are gathering system information, file interaction,
key- loggers, and stealing passwords.

Although this malware is not overly sophisticated,
it does present us a good opportunity
to learn more about the tools, techniques, and tactics of our adversaries. To
combat such types of attacks, users should be cognizant of suspicious emails
and cautious of file attachments Additionally, there exists others tools that
can help defend an organization’s infrastructure from these types of attacks
including hosted email security, deep packet inspection by network perimeter
devices, and customized end point protection.