Long-lasting targeted attacks aimed at entities in the Middle East are difficult to attribute despite being analyzed by several researchers, Palo Alto Networks said this week.
Dubbed “MuddyWater” by the security firm because of the high level of confusion they have already created, the attacks took place between February and October 2017. The campaign has made use of a variety of malicious documents, and hit targets in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
The attacks, researchers say, use a slowly evolving PowerShell-based first stage backdoor named POWERSTATS. The activity related to this threat actor continues despite existing reports, with the only observed changes being related to tools and techniques.
The malicious documents used in these attacks are almost identical to those in recently observed incidents targeting the Saudi Arabian government. Those documents were similar to files previously associated with a series of fileless assaults that Morphisec linked to a single attack framework. Some of these attacks were attributed to the hacking group known as FIN7.
According to a new Palo Alto Networks report, the attacks might have been mistakenly associated with the FIN7 group. A command and control (C&C) server delivering the FIN7-linked DNSMessenger tool was said to have been employed by MuddyWater as well, but there’s no evidence that the latter group ever used the utility, the researchers claim.
Between February and October, the malicious documents associated with the group’s activity had been tailored according to the target regions. They often used the logos of branches of local government in an attempt to trick users into enabling malicious macros.
The delivery method might have changed between attacks, but the final payload remained the same non-public PowerShell backdoor mentioned above. Moreover, the malicious documents used in this campaign shared the same C&C infrastructure and featured similar attributes.
“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes. The researchers also published lists of C&C servers, compromised sites, and related files.
Tools used by the group have been well-documented in previous reports, including open-source utilities such as Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more. In some recent attacks, GitHub is used as a hosting site for the POWERSTATS custom backdoor, as the actor controls multiple GitHub repositories, the researchers say.
MuddyWater even compromised accounts at third-party organizations to send their malware. As part of an attack, the malicious document used was nearly identical to a legitimate attachment that the same recipient received later.
“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” the researchers explain.
According to Palo Alto Networks, the reports previously associating this cluster of activity to FIN7 would rather create confusion. The FIN7 group is financially motivated and targets organizations in the restaurant, services and financial sectors, which suggests that the threat actor is unlikely to be tied to espionage-focused attacks in the Middle East.
Malware associated with FIN7 hasn’t been observed in MuddyWater attacks, and the researchers also claim that there might be a mistake in the report linking the attacks to FIN7. However, they also admit that the hackers might have planted a false flag when realizing they were under investigation.
“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers say.