By Daniel Lunghi and Jaromir Horejsi
We found new campaigns that appear to wear the badge of MuddyWater. Analysis of these campaigns revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. We also unearthed and detailed our other findings on MuddyWater, such as its connection to four Android malware variants and its use of false flag techniques, among others, in our report “New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, False Flags, Android Malware, and More.”
One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.
Figure 1. Screenshot of a spear-phishing email spoofing a government office, dated April 8, 2019.
Figure 2. Email headers showing the origin of the spear-phishing email
Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3 (detected by Trend Micro as Trojan.PS1.POWERSTATS.C). The spear-phishing email that contains a document embedded with a malicious macro drops a VBE file encoded with Microsoft Script Encoder. The VBE file, which holds a base64-encoded block of data containing obfuscated PowerShell script, will then execute. This block of data will be decoded and saved to the %PUBLIC% directory under various names ending with image file extensions such as .jpeg and .png. The PowerShell code will then use custom string obfuscation and useless code blocks to make it difficult to analyze.
Figure 3. Code snippet of obfuscated and useless code
The final backdoor code is revealed after the deobfuscation of all strings and removal of all unnecessary code. But first, the backdoor will acquire the operating system (OS) information and save the result to a log file.
Figure 4. Code snippet of OS information collection
This file will be uploaded to the command and control (C&C) server. Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process.
A second stage attack can be launched by commands sent to a specific victim in an asynchronous way, e.g., another backdoor payload can be downloaded and installed to targets that they are interested in.
Figure 5. The code in POWERSTATS v3 which downloads the second attack stage
We were able to analyze a case where the group launched a second stage attack. The group was able to download another backdoor, which is supported by the following commands:
- Take screenshots
- Command execution via the cmd.exe binary
- If there’s no keyword, the malware variant assumes that the input is PowerShell code and executes it via the “Invoke-Expression” cmdlet
Figure 6. The code in POWERSTATS v3 (second stage) that handles the screenshot command
The C&C communication is done using PHP scripts with a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).
Figure 7. In an endless loop, the malware variant queries a given path on the C&C server, trying to download a GUID-named file with commands to execute.
Other MuddyWater campaigns in the first half of 2019
The MuddyWater threat actor group has been actively targeting victims with a variety of tricks, and they seem to keep on adding more as they move forward with new campaigns. The campaign that used POWERSTATS v3 is not the only one we found with new tricks. We observed other campaigns that changed their delivery methods and dropped file types. Notably, these campaigns have also changed payloads and publicly available post-exploitation tools.
|Discovery Date||Method for dropping malicious code||Type of files dropped||Final payload|
|2019-03||Macros||Base64 encoded, BAT||POWERSTATS v2|
|2019-04||Template injection||Document with macros||POWERSTATS v1 or v2|
Table 1. MuddyWater’s delivery methods and payloads in 2019 1H
In January 2019, we discovered that the campaign started using SHARPSTATS (Trojan.Win32.SHARPSTATS.A), a .NET-written backdoor that supports DOWNLOAD, UPLOAD, and RUN functions. In the same month, DELPHSTATS (Trojan.Win32.DELPSTATS.A), a backdoor written in the Delphi programming language, emerged. DELPHSTATS queries the C&C server for a .dat file before executing it via the Powershell.exe process. Like SHARPSTATS, DELPHSTATS employs custom PowerShell script with code similarities to the one embedded into the former.
Figure 8. SHARPSTATS can be used to collect system information by dropping and executing a PowerShell script.
Figure 9. The code in DELPHSTATS that queries a certain directory on the C&C server. It’s where operators upload additional payload.
We came across the heavily obfuscated POWERSTATS v2 (Trojan.PS1.POWERSTATS.B) in March 2019. An earlier version of this backdoor decodes the initial encoded/compressed blocks of code, while an improved version appeared later on. The latter heavily uses format strings and redundant backtick characters. The function names in the earlier version were still somehow readable, but they were completely randomized in later versions.
Figure 10. Obfuscated POWERSTATS v2
After deobfuscation, the main backdoor loop queries different URLs for a “Hello server” message to obtain command and upload the result of the run command to the C&C server.
Figure 11. Deobfuscated main loop of POWERSTATS v2
Use of different post-exploitation tools
We also observed MuddyWater’s use of multiple open source post-exploitation tools, which they deployed after successfully compromising a target.
|Name of the Post-Exploitation Tool||Programming language/Interpreter|
|Meterpreter||Reflective loader, executable file|
Table 2. Tools used by MuddyWater campaigns over the years.
One campaign stands out for its use of the LaZagne credential dumper, which was patched to drop and run POWERSTATS in the main function.
Figure 12. LaZagne has been patched to drop and run POWERSTATS in the main function. See added intimoddumpers() function. Note the typo in the function name – its INTI, not INIT.
Conclusion and security recommendations
While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes.
Notably, the group’s use of email as an infection vector seems to yield success for their campaigns. In this regard, apart from using smart email security solutions, organizations should inform their employees of ways to stay safe from email threats.
Organizations can also take advantage of Trend Micro™ Deep Discovery™, a solution that provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern updates.
View our full report to learn more about the other MuddyWater details we discovered.
Updated the blog and technical brief on June 26, 2019 to add detection names and retract information about a malicious document initially attributed to MuddyWater.