New Campaign Possibly Linked to MuddyWater

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

First observed in 2017, the MuddyWater campaign was targeting the Saudi government with PowerShell scripts deployed via Microsoft Office Word macros. A similar espionage campaign observed in March 2018 was targeting organizations in Turkey, Pakistan and Tajikistan.

The attacks, which are rather difficult to clear up, were previously associated with the FIN7 hacking group, but artifacts observed in multiple assaults were also linked to a single framework last year.

Discovered last month, the new campaign bears the hallmarks of MuddyWater and attempts to distribute a backdoor through Word documents that execute PowerShell scripts, Trend Micro says. Unlike previous attacks, however, the samples don’t attempt to download the scripts, but have them encoded in the document itself.

The campaign, however, does have characteristics that appear to connect it to the MuddyWater attacks, such as the use of malicious documents with embedded macros, and the obfuscation method used for the macro scripts.

A lure document claiming to be a reward or a promotion was used as part of the new attack, instead of the previously seen documents dealing with government or telecommunications-related issues. Because of this change, Trend Micro suggests that the attacks would no longer be limited to specific industries or organizations.

Once the intended victim opens the document, they are enticed into enabling the macro to view its full content. The macro uses the Document_Open() event to execute a malicious routine. Two PowerShell scripts are executed, with the second being designed to drop various components on the compromised machine.

The final payload used in this campaign is the PRB-Backdoor remote access Trojan (RAT) that was previously analyzed in May 2018. The malware communicates with a command and control (C&C) server at outl00k[.]net and includes support for a broad range of commands.

Based on the received instructions, the malware can initialize a connection with the C&C, register the infected system, gather browsing history from installed browsers and send it to the C&C, steal passwords found in the browser, read and write files, execute shell commands, log keystrokes, capture screenshots, update functions, gather system information, and initialize DNS sessions.

Last month, the security researcher behind Security 0wnage revealed that there was no reference to PRB-Backdoor or its code on public sources.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro notes.

Related: New PowerShell Backdoor Discovered

Related: New Cyberespionage Attacks Linked to MuddyWater Campaign