Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New PowerShell Backdoor Resembles “MuddyWater” Malware

A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

First detailed last year, the adversary is mainly focused on governmental targets in Iraq and Saudi Arabia, but attacks appear difficult to attribute. Security researchers linked the actor to multiple attacks this year and even revealed an expanded target list

From the start, the attack group has been using phishing emails as the primary vector in its elaborate espionage attacks, and has made only minor changes to the tools, techniques and procedures (TTPs) employed. 

According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware. 

Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say. 

When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content. 

The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory.

The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware.

Advertisement. Scroll to continue reading.

The threat collects system information such as OS name, domain name, user name, IP address, and more, and saves it using the separator “::” between each piece of information.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions, based on the purpose of the file: .cmd (text file with a command to execute), .reg (system info generated by myinfo() function), .prc (output of the executed .cmd file, stored on local machine), and .res (output of the executed .cmd file, stored on cloud storage).

These files are used as an asynchronous mechanism, with the malware operator leaving a command to execute in a .cmd file and returning to retrieve the .res files. The content encoding, however, differs between the MuddyWater backdoor and the new malware. 

Commands supported in the backdoor include file upload, persistence removal, exit, file download, and command execution. 

“Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes. 

Related: MuddyWater Threat Actor Expands Targets List

Related: New Campaign Possibly Linked to MuddyWater

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.