Dissecting the MuddyWater Infection Chain

12/07/2018

Introduction

In the last days of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as "MuddyWater": their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

According with the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

The macro code is decrypted before the execution with the following custom routine:

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

*Figure 4. Creation of the hidden document*

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

C:\Windows\Temp\temp.jpg, containing Javascript code;
C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
C:\ProgramData\Microsoft.db, containing the encrypted final payload.

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

*Figure 6. Javascript code within “temp.jpg”*

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the "Microsoft.db" file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

*Figura 7. POWERSTAT beaconing requests*

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

*Figure 8. Post request containing info about the victim machine*

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

info: used in POST request to send info about the victim;
live: used in POST request as ping mechanism;
cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number. This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by malicious implant, such as:

upload: the malware downloads a new file from the specified URL;
cmd: the malware executes the specified command;
b64: the malware decodes and executes a base64 powershell script;
muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.

*Figure 10. Deobfuscated POWERSTATS code snippet*

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

*Figure 11. Registry key based persistency mechanism*

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

*Figure 12. Scheduled task installed by the malware*

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverages macro-embedded document as initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

*Figure 13. MuddyWaters’ Infection chain*

Indicator of Compromise

Dropurl:
- hxxp://pazazta[.com/app/icon.png
C2:
- hxxp://amphira[.com
- hxxps://amorenvena[.com
- 139.162.245.200
Hash:
- 294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d
- 79f2d06834a75981af8784c2542e286f1ee757f7a3281d3462590a89e8e86b5a
- ae2c0de026d0df8093f4a4e2e2e4d297405f943c42e86d3fdd0ddea656c5483d
- 077bff76abc54edabda6b7b86aa1258fca73db041c53f4ec9c699c55a0913424
- ccfdfcee9f073430cd288522383ee30a7d6d3373b968f040f89ae81d4772a7d0

Yara Rules

rule MuddyWater_doc_dropper {
	meta:
		description = "Yara Rule for MuddyWater document dropper"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$header ={D0 CF 11 E0 A1 B1 1A E1}
		$a = {D3 60 25 12 C4 C1 41 B1 65 E3 39 08 8B}
		$b = {B1 B8 22 60 2B 2E 62 59 58 11}
	condition:
		 all of them
}

rule MuddyWater_fake_pgn_dropper {
	meta:
		description = "Yara Rule for MuddyWater fake image dropper"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$a = "I0B+XlhBQUFBQT09L00rQ0QrfTRMf21EY0pxL15EYndPIFV0K15zSipSSSFVfkoxL"
		$b = "1mdW5jdGlvbihzLGQpe3ZhciB1PVtdLHY9MHgwLHcseD0nJyx5PScn"
	condition:
		 all of them
}

rule MuddyWater_encrypted_POWERSTATS {
	meta:
		description = "Yara Rule for MuddyWater encrypted backdoor"
		author = "Yoroi ZLab - Cybaze"
		last_updated = "2018-12-05"
		tlp = "white"
		category = "informational"
	strings:
		$a = "256/8Z2S63F,17P1P?20N,-(1AR38(.E/,Y7/VB->V0E,.1J1L*0?H-"
		$b = "0E-13./)F/[-/L)/.I-*U/.F/*@3AM37M2?T-=I3-J/BU-=?/GP,JN1Z<05I-)V/C-"
	condition:
		 all of them
}

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_gat_gtag_UA_209986505_1	1 minute	Set by Google to distinguish users.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.