The MuddyWater campaign appears to be rising to the surface again with researchers finding similarities between this older cyberespionage attack and a new one targeting Turkey, Pakistan and Tajikistan.
Trend Micro researchers believe the latest series of incursions is related to last year's MuddyWater incidents, which were discovered by Palo Alto's Unit 42, as each uses official looking documents purporting to be from government agencies and drop a Visual Basic file and Powershell file; the VBS file executes the Powershell file, in order to gain entry into the targeted system. The original MuddyWater campaign came to light in 2017 targeting a wide range of nations, including the United States, Saudi Arabia, Israel, Turkey and Pakistan.
Other parallels include using similar obfuscation and deobfuscation processes and are spread through phishing attacks.
The Saudi Arabian National Cyber Security Center (NCSC) issued an alert for this stating “The malicious PowerShell utilizes HTTP tunneling to communicate with the command and control domains. The HTTP requests and responses contains data ex-filtrated from infected machines or commands to be executed by the threat actor.”
Attribution has not been made with these latest attacks, although Trend noted there is what appears to be an attempt to blame Chinese actors, but researchers noted this could also be a false flag as the syntax and grammar suggest the language might have been made with a translation program.
"If communication with C&C fails, and if the PowerShell script is run from a command line, a few error messages written in simplified Mandarin Chinese are displayed, with a curious phrase that translates to 'waiting for dragon'. These messages may not reveal anything about the real attackers as the malware writers sometimes like to embed false flags into their programs to confuse researchers," the report said.
The primary method of attack are decoy documents and watering hole attacks. The documents are well constructed being labeled with government emblems and purportedly coming from places like the Ministry of Internal Affairs of the Republic of Tajikistan, Trend Micro said.
“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked,” the trend researchers said.
In each attack two files are downloaded. One with an obfuscated Visual Basic script the other an obfuscated Powershell script are created in the program directory. The Visual Basic script is needed to activate the Powershell script.
Once installed a backdoor is installed and machine's information is collected, to include operating system, architecture, domain, network adapter configuration, and username, and screenshots are taken while it is waiting to receive instructions from its command and control server. The basic instructions are sent via XML message.
The malicious actors are also monitoring the traffic through the command and control server and if they notice an unauthorized communication with it the interloper is presented with the message “Stop!!! I Kill You Researcher.”
Eddie Habibi, founder/CEO of PAS Global, said the nature of attacks waged against national entities requires a renewed effort for the private sector and government to work together.
“Foreign actors are getting increasingly sophisticated with their cyber threat capabilities, and it's imperative that the U.S. is proactive in combatting this. Private companies and the U.S. government need to work together to create impenetrable defenses,” he told SC Media.