Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New PowerShell Backdoor Resembles “MuddyWater” Malware

A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

First detailed last year, the adversary is mainly focused on governmental targets in Iraq and Saudi Arabia, but attacks appear difficult to attribute. Security researchers linked the actor to multiple attacks this year and even revealed an expanded target list

From the start, the attack group has been using phishing emails as the primary vector in its elaborate espionage attacks, and has made only minor changes to the tools, techniques and procedures (TTPs) employed. 

According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware. 

Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say. 

When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content. 

The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory.

The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware.

The threat collects system information such as OS name, domain name, user name, IP address, and more, and saves it using the separator “::” between each piece of information.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions, based on the purpose of the file: .cmd (text file with a command to execute), .reg (system info generated by myinfo() function), .prc (output of the executed .cmd file, stored on local machine), and .res (output of the executed .cmd file, stored on cloud storage).

These files are used as an asynchronous mechanism, with the malware operator leaving a command to execute in a .cmd file and returning to retrieve the .res files. The content encoding, however, differs between the MuddyWater backdoor and the new malware. 

Commands supported in the backdoor include file upload, persistence removal, exit, file download, and command execution. 

“Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes. 

Related: MuddyWater Threat Actor Expands Targets List

Related: New Campaign Possibly Linked to MuddyWater

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.