Security Experts:

Connect with us

Hi, what are you looking for?



New Campaign Possibly Linked to MuddyWater

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.

First observed in 2017, the MuddyWater campaign was targeting the Saudi government with PowerShell scripts deployed via Microsoft Office Word macros. A similar espionage campaign observed in March 2018 was targeting organizations in Turkey, Pakistan and Tajikistan.

The attacks, which are rather difficult to clear up, were previously associated with the FIN7 hacking group, but artifacts observed in multiple assaults were also linked to a single framework last year.

Discovered last month, the new campaign bears the hallmarks of MuddyWater and attempts to distribute a backdoor through Word documents that execute PowerShell scripts, Trend Micro says. Unlike previous attacks, however, the samples don’t attempt to download the scripts, but have them encoded in the document itself.

The campaign, however, does have characteristics that appear to connect it to the MuddyWater attacks, such as the use of malicious documents with embedded macros, and the obfuscation method used for the macro scripts.

A lure document claiming to be a reward or a promotion was used as part of the new attack, instead of the previously seen documents dealing with government or telecommunications-related issues. Because of this change, Trend Micro suggests that the attacks would no longer be limited to specific industries or organizations.

Once the intended victim opens the document, they are enticed into enabling the macro to view its full content. The macro uses the Document_Open() event to execute a malicious routine. Two PowerShell scripts are executed, with the second being designed to drop various components on the compromised machine.

The final payload used in this campaign is the PRB-Backdoor remote access Trojan (RAT) that was previously analyzed in May 2018. The malware communicates with a command and control (C&C) server at outl00k[.]net and includes support for a broad range of commands.

Based on the received instructions, the malware can initialize a connection with the C&C, register the infected system, gather browsing history from installed browsers and send it to the C&C, steal passwords found in the browser, read and write files, execute shell commands, log keystrokes, capture screenshots, update functions, gather system information, and initialize DNS sessions.

Last month, the security researcher behind Security 0wnage revealed that there was no reference to PRB-Backdoor or its code on public sources.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro notes.

Related: New PowerShell Backdoor Discovered

Related: New Cyberespionage Attacks Linked to MuddyWater Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...