A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.
First detailed last year, the adversary is mainly focused on governmental targets in Iraq and Saudi Arabia, but attacks appear difficult to attribute. Security researchers linked the actor to multiple attacks this year and even revealed an expanded target list.
From the start, the attack group has been using phishing emails as the primary vector in its elaborate espionage attacks, and has made only minor changes to the tools, techniques and procedures (TTPs) employed.
According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware.
Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say.
When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content.
The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory.
The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware.
The threat collects system information such as OS name, domain name, user name, IP address, and more, and saves it using the separator “::” between each piece of information.
For communication, the malware uses files named <md5(hard disk serial number)> with various extensions, based on the purpose of the file: .cmd (text file with a command to execute), .reg (system info generated by myinfo() function), .prc (output of the executed .cmd file, stored on local machine), and .res (output of the executed .cmd file, stored on cloud storage).
These files are used as an asynchronous mechanism, with the malware operator leaving a command to execute in a .cmd file and returning to retrieve the .res files. The content encoding, however, differs between the MuddyWater backdoor and the new malware.
Commands supported in the backdoor include file upload, persistence removal, exit, file download, and command execution.
“Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.