Security Experts:

Connect with us

Hi, what are you looking for?



“MuddyWater” Cyberspies Update PowerShell Backdoor

The cyber-espionage group known as MuddyWater has used an updated multi-stage PowerShell backdoor in recent campaigns, Trend Micro’s security researchers report.

The cyber-espionage group known as MuddyWater has used an updated multi-stage PowerShell backdoor in recent campaigns, Trend Micro’s security researchers report.

First detailed in 2017, the threat actor has been highly active during the last several months of 2018, when it reportedly hit over 130 victims in 30 organizations. 

Over the past couple of years, the threat actor was observed expanding its target list and numerous attacks were linked to it, as well as malware found to resemble the actor’s usual set of backdoors. 

Following Kaspersky’s recent analysis of MuddyWater post-infection tools, Trend Micro now says that the cyber-spies have updated their PowerStats backdoor, and that the new variant has already been observed in a spear-phishing campaign targeting a university in Jordan and the Turkish government. 

Leveraging compromised legitimate accounts to trick victims into installing malware, the emails contained a document embedded with a malicious macro to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

“This block of data will be decoded and saved to the %PUBLIC% directory under various names ending with image file extensions such as .jpeg and .png. The PowerShell code will then use custom string obfuscation and useless code blocks to make it difficult to analyze,” Trend Micro reveals. 

The backdoor, which is obtained after the deobfuscation of all strings, gathers operating system (OS) information and saves it to a log file that is then uploaded to the command and control (C&C) server. The malware generates a random GUID number for each infected system and uses it for identification. 

“Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process,” the security researchers explain. 

The attackers can use the malware to send commands to the victim systems and launch second stage attacks, such as downloading and installing another payload. 

In one case, the actor served a second backdoor to the system, with support for commands to take screenshots, execute commands via cmd.exe, and execute PowerShell code via the “Invoke-Expression” cmdlet (if no keyword is received). 

For C&C communication, the hackers use PHP scripts with a hardcoded token and a set of backend functions, including sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Campaigns MuddyWater launched since the beginning of this year have shown changes in tactics from the threat actor, such as the adoption of new delivery methods and dropped file types. The payloads and publicly available post-exploitation tools have been updated as well. 

Trend Micro observed the attackers dropping the .NET backdoor SHARPSTATS in January, only to switch to the Delphi-based DELPHSTATS the same month. In March and April, the actor was using the heavily obfuscated POWERSTATS v2, only to switch to POWERSTATS v3 in May. 

Additionally, the threat actor employed multiple open source post-exploitation tools, including CrackMapExec, ChromeCookiesView, chrome-passwords, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MZCookiesView, PowerSploit, Shootback, and Smbmap. 

In the campaign that delivered the EmpireProject stager, the attackers leveraged template injection and abused the CVE-2017-11882 vulnerability, the security researchers reveal. As part of the campaign delivering the LaZagne credential dumper, the attackers patched the malware to drop and run POWERSTATS in the main function.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

Related: Kaspersky Analyzes Hacking Group’s Homegrown Attack Tools

Related: Highly Active MuddyWater Hackers Hit 30 Organizations in 2 Months

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...