Dissecting the MuddyWater Infection Chain

Introduction

In the last days of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According with the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:  

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figura 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.  

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 powershell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistency mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware


Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverages macro-embedded document as initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain

Indicator of Compromise

  • Dropurl:
    • hxxp://pazazta[.com/app/icon.png
  • C2:
    • hxxp://amphira[.com
    • hxxps://amorenvena[.com
    • 139.162.245.200
  • Hash:
    • 294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d
    • 79f2d06834a75981af8784c2542e286f1ee757f7a3281d3462590a89e8e86b5a
    • ae2c0de026d0df8093f4a4e2e2e4d297405f943c42e86d3fdd0ddea656c5483d
    • 077bff76abc54edabda6b7b86aa1258fca73db041c53f4ec9c699c55a0913424
    • ccfdfcee9f073430cd288522383ee30a7d6d3373b968f040f89ae81d4772a7d0

Yara Rules

rule MuddyWater_doc_dropper {
	meta:
		description = "Yara Rule for MuddyWater document dropper"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$header ={D0 CF 11 E0 A1 B1 1A E1}
		$a = {D3 60 25 12 C4 C1 41 B1 65 E3 39 08 8B}
		$b = {B1 B8 22 60 2B 2E 62 59 58 11}
	condition:
		 all of them
}

rule MuddyWater_fake_pgn_dropper {
	meta:
		description = "Yara Rule for MuddyWater fake image dropper"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$a = "I0B+XlhBQUFBQT09L00rQ0QrfTRMf21EY0pxL15EYndPIFV0K15zSipSSSFVfkoxL"
		$b = "1mdW5jdGlvbihzLGQpe3ZhciB1PVtdLHY9MHgwLHcseD0nJyx5PScn"
	condition:
		 all of them
}

rule MuddyWater_encrypted_POWERSTATS {
	meta:
		description = "Yara Rule for MuddyWater encrypted backdoor"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$a = "256/8Z2S63F,17P1P?20N,-(1AR38(.E/,Y7/VB->V0E,.1J1L*0?H-"
		$b = "0E-13./)F/[-/L)/.I-*U/.F/*@3AM37M2?T-=I3-J/BU-=?/GP,JN1Z<05I-)V/C-"
	condition:
		 all of them
}