Published on December 9th, 2018📅| 0
Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain
Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.
At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emailscontaining blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.
According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.
However, the intermediate stages were slightly different than usual.
The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.
When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.
The macro code is decrypted before the execution with the following custom routine:
After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:
The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:
- C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
- C:\ProgramData\Microsoft.db, containing the encrypted final payload.
In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.
The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 184.108.40.206 (EU-LINODE-20141229 US).
One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:
Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.
The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:
- info: used in POST request to send info about the victim;
- live: used in POST request as ping mechanism;
- cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
- res: used in a POST request to send the result of the last command that the malware has executed.
The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number. This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.
Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:
- upload: the malware downloads a new file from the specified URL;
- cmd: the malware executes the specified command;
- b64: the malware decodes and executes a base64 PowerShell script;
- muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:
And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.
This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.