Researchers have spotted the MuddyWater, Fin8 and Platinum cybergangs all making an unwanted comeback following an observed increase in malicious activity over the last few weeks.
Trend Micro came across several campaigns its researchers believe contain the hallmarks of MuddyWater. But this time around the group apparently deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3, which was contained in a spearphishing email. The emails targeted a university in Jordan as well as the Turkish government, and contained a document embedded with a malicious macro that drops a VBE file encoded with Microsoft Script Encoder to install a backdoor.
With the backdoor in place, a second-stage attack can take place that installs another backdoor, plus takes screenshots and has the ability for command execution via the cmd.exe binary.
“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns. In this regard, apart from using smart email security solutions, organizations should inform their employees of ways to stay safe from email threats,” Trend Micro reported.
Meanwhile, Fin8 has made its first appearance of the year, say researchers who linked the group to a new and sophisticated variant of the ShellTea/PunchBuggy backdoor that attempted to install POS malware on a company in the hotel industry.
Due to the manner and tools used to conduct the attack, Morphisec is attributing the operation to Fin8 with a high level of confidence, although there are a few points, such as URLs and infrastructure that overlap with the Fin7 group instead. As in past attacks, Fin8 used phishing to establish itself and installed backdoors and other methods to maintain persistence.
Finally, researchers at Kaspersky came across the latest incursions by the Platinum APT group while investigating attacks against governments and military organizations in South and Southeast Asia. These incidents involved the use a PowerShell downloader, as well as free hosting services (e.g. Dropbox) for creating command and control addresses. In addition, the researchers came across something new: the malware hid all its communications with the C2 server using a form of text steganography.
The investigation turned up a pair of backdoor programs that were used in two different stages of the attack. “…Both attacks used the same domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of malware at the same time,” Kaspersky said. “It’s worth mentioning that in the second stage, all executable files were protected with a runtime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to be related to Platinum.”