Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.
The MuddyWater campaigns were named so because of a high level of confusion they managed to create, thus making it difficult to attribute to a specific actor. Artifacts associated with MuddyWater, however, were used in attacks targeting the Saudi Arabian government, in assaults linked to a single attack framework last year, and in incidents attributed to the hacking group FIN7.
Based on the targeted organizations and the focus on gathering of information and upload it to the command and control (C&C) servers, the actors behind these attacks appear mainly focused on espionage activities, Trend Micro says.
The newly observed attacks feature numerous ties to the previously observed MuddyWater campaigns and also show that “the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,” the security firm notes.
Similarities with earlier MuddyWater campaigns include the focus on targets in the Middle East, the use of documents that try to mimic government organizations, the dropping of a Visual Basic file and a Powershell file (the VBS executes the PS), and the use of hundreds of hacked websites as proxies.
Furthermore, the attacks show similar obfuscation processes and internal variables after deobfuscation, Trend Micro says.
Malicious documents targeting individuals working for government organizations and telecommunication companies in Tajikistan use engineering to trick victims into enabling macros. Some of the payloads were embedded inside the document itself, while others were downloaded from the Internet.
After the macros are enabled, the Visual Basic script and PowerShell script, both obfuscated, are dropped in the ProgramData directory. A scheduled task is created with the path to the VBS script to ensure persistence.
As part of other attacks, the second file dropped is a base64 encoded text file that results in the Powershell file after decoding. Another campaign would drop three files: an .sct scriptlet file, an .inf file, and a base64 encoded data file. The first two use publicly available code to bypass applocker.
The PowerShell script is divided into three parts: one contains global variables (paths, encryption keys, a list of gates and hacked websites used as proxies), the second contains functions related to standard RSA encryption, and the third contains a backdoor function.
The backdoor collects machine information, takes screenshots, and sends all data to the C&C. It also includes support for commands such as clean (attempts to delete all items from drives C, D, E, and F), reboot, shutdown, screenshot, and upload. Communication with the C&C is performed via XML messages.
“It seems that the attackers are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server,” Trend Micro explained.
The security researchers also discovered what appears to be a false flag in the PowerShell script. If the communication with the C&C fails and the PowerShell script is run from a command line, error messages written in simplified Mandarin Chinese are displayed. The messages appear machine-translated rather than written by a native speaker, Trend’s researchers point out.