Security Alert: New Spear Phishing Campaign Operated by the MuddyWater Group
In which malicious Powershell payload is used to spread malware
You probably heard about the hacking group known as “MuddyWater” which was behind previous spam campaigns targeting a wide range of industries and institutions in several countries across the Middle East, Europe, and the US.
Spotted for the first time in 2017, when the group hit the Saudi Government, future spam campaigns discovered by security researchers were also linked to the same group.
It appears that the authors of the MuddyWater group aren’t slowing down these attacks and continue to be highly active and persistent. Earlier this week, threat researchers observed another spam campaign in which the “Muddy Water” group has been involved.
How the infection spreads (some technical details included)
In the analyzed campaign, malicious actors are using social engineering techniques to bait potential victims from targeted organizations into enabling macros in the Microsoft office package.
It’s not the first time this attack vector is being used, but as long as it still works why not trying it, right?
In this scenario, users receive a phishing email with a document containing a VBA macro code which, if enabled, will compromise users’ systems by using a PowerShell payload.
See in the image below how the malicious document from the spam campaign looks like for the recipient:
If macros are enabled, cybercriminals will use Windows scripting host “//E” command line which is a Base64 encoded payload employing the obfuscation method.
Here’s how the payload is displayed:
“powershell -exec bypass -c” “IEX ([System.Text.Encoding] :: ASCII.GetString ([System.Convert] :: FromBase64String (‘JFhY [SNIP]’)”
The decoded payload can look like this (sanitized for your own safety):
kXBglobal: url = WqoWqo
kXBglobal: id = WqoWqo
kXBcevingr = 959, 713
kXBchoyvp = 37, 437
kXBC = @ (V7Xhttp: //185.162.235 [.] 182V7X)
Attackers will try to connect to the victim’s machines by using the GetSystemWebProxy method to retrieve a proxy for impersonated users, get the default credentials, and connect to another server. Thus, they will perform remote control actions.
After getting access and enabling the macro, hackers will restart users’ machine and modify the registry keys with an “Update Service” message.
The Base64 encoded payload is dropped on vulnerable machines on C: Windows temp picture.jpg using a C&C server where all sensitive data (hostname, date, language, files from multiple folders) are collected like this one: 185,162,235 [.] 182 (sanitized for your own protection).
Other indicators of compromise with malicious domains that we don’t recommend acessing:
corplink.com [.] pk
46105.84 [.] 146
listen.kristen [.] pw
vigor [.] software
Heimdal Security proactively blocked these infected domains, so all Thor Home and Thor Enterprise users are protected from getting infected with malware.
According to VirusTotal, 16 antivirus engines out of 60 listed have managed to detect this malicious document used in one of these spear phishing campaigns analyzed.
While these attacks aren’t new, they continue to wreak havoc and evade AV detection. You can read here more examples (with in-depth technical details and research) of MuddyWater operations here.
Apply these security measures to keep your important data secure
To minimize both the risks and impact of these attacks and avoid becoming a target, we urge both regular users and companies to apply the following security measures:
- Always store a backup of all important on external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.).You can learn how to do that by reading our dedicated guide
- Patch, patch, and patch again! It’s essential to install all the latest updates for your apps, software programs, and system. Do NOT postpone it for another time, do it as soon as possible and regularly
- Once again, we remind not to open or click attachments, files or links coming from unknown sources. Just DON’T.
- Try not to use the administrator account every day and remember to disable macros in the Microsoft Office Package
- Use a reliable antivirus product, and consider adding multiple layers of protection and use proactive cybersecurity software like our Heimdal™ Premium Security Home, because these malicious files seem to evade traditional AV detection
- We advocate for cybersecurity education which is key to online safety and encourage everyone to learn how to better detect and have a stronger defense against cyber attacks. You can check out these free educational resources to gain more knowledge in cybersecurity.;
To learn more about phishing attacks and other advanced cyber threats, you can read these essential resources:
- The ABS of detecting and preventing phishing
- Best free security and privacy tools in 2019
- Here are the top online scams you need to avoid today
Remember to be suspicious and question every email you get in your inbox.
*This article features cyber intelligence provided by CSIS Security Group researchers.
Cool but you’ve provided the technical IoC’s but not the simple ones like sender and email subjects?
Hi Chris. Good catch, however, we did include the details you mentioned in our in-depth anti-phishing guide: https://heimdalsecurity.com/blog/abcs-detecting-preventing-phishing/
Thanks for stopping by and have a great day ahead!
>>Heimdal Security proactively blocked these infected domains, so all Thor Home and Thor Enterprise users are protected
Thats nice, but what are these domain, for others not with Heimdal.
Hello Jeff! Thanks for the feedback and for taking the time to read the article:-). We are talking about malicious domains that hackers can use to lure victims into clicking and compromise their data. We’ve updated the article. Thanks again for the feedback!