Connect with us

Hi, what are you looking for?



New Campaign Possibly Linked to MuddyWater

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

First observed in 2017, the MuddyWater campaign was targeting the Saudi government with PowerShell scripts deployed via Microsoft Office Word macros. A similar espionage campaign observed in March 2018 was targeting organizations in Turkey, Pakistan and Tajikistan.

The attacks, which are rather difficult to clear up, were previously associated with the FIN7 hacking group, but artifacts observed in multiple assaults were also linked to a single framework last year.

Discovered last month, the new campaign bears the hallmarks of MuddyWater and attempts to distribute a backdoor through Word documents that execute PowerShell scripts, Trend Micro says. Unlike previous attacks, however, the samples don’t attempt to download the scripts, but have them encoded in the document itself.

The campaign, however, does have characteristics that appear to connect it to the MuddyWater attacks, such as the use of malicious documents with embedded macros, and the obfuscation method used for the macro scripts.

A lure document claiming to be a reward or a promotion was used as part of the new attack, instead of the previously seen documents dealing with government or telecommunications-related issues. Because of this change, Trend Micro suggests that the attacks would no longer be limited to specific industries or organizations.

Once the intended victim opens the document, they are enticed into enabling the macro to view its full content. The macro uses the Document_Open() event to execute a malicious routine. Two PowerShell scripts are executed, with the second being designed to drop various components on the compromised machine.

Advertisement. Scroll to continue reading.

The final payload used in this campaign is the PRB-Backdoor remote access Trojan (RAT) that was previously analyzed in May 2018. The malware communicates with a command and control (C&C) server at outl00k[.]net and includes support for a broad range of commands.

Based on the received instructions, the malware can initialize a connection with the C&C, register the infected system, gather browsing history from installed browsers and send it to the C&C, steal passwords found in the browser, read and write files, execute shell commands, log keystrokes, capture screenshots, update functions, gather system information, and initialize DNS sessions.

Last month, the security researcher behind Security 0wnage revealed that there was no reference to PRB-Backdoor or its code on public sources.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro notes.

Related: New PowerShell Backdoor Discovered

Related: New Cyberespionage Attacks Linked to MuddyWater Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...