MuddyWater APT Group Targeted India and Turkey
Posted on : March 20 , 2018
Our Intelligence Labs Team recently came across various malicious documents and spear-phishing emails targeting India and Turkey via macro-enabled Word document. Our research lab has attributed these campaigns to MuddyWater APT group.
MuddyWater is an APT group that has been very active throughout 2017, targeting various regions like Middle East, India, USA, Pakistan, etc. as describes in a blog published by Palo Alto Networks: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/. According to the blog, the attacks by the group are characterized by use of Powershell-based backdoor named “POWERSTATS” and confusion in attack attribution, hence the name MuddyWater.
Campaign Targeting India
The first document that we came across in this campaign, was a malicious DOCX document (bf310319d6ef95f69a45fc4f2d237ed4) which contained the name of IDRBT (Institute for Development and Research in Banking Technology) to lure the victims into running macro code. The sample was first uploaded to VT on 27 Feb,2017 from India.
Malicious lure document claiming to be from IDRBT
The document has password protected macro code to complicate manual analysis. The macro code is heavily obfuscated and employs base64 and XOR operations to decode the code. The macro code first drops base64 encoded Powershell payload (POWERSTAT) to the following location:c:\programdata\WindowsDefender.ini
The macro code then drops a COM Script which executes the encoded Powershell payload. The location of the dropped COM Script is:c:\programdata\Defender.sct
At last, the macro drops DefenderService.inf file here: c:\programdata\DefenderService.inf
The Macro code then use legit cmstp.exe process and pass dropped DefenderService.inf file as input to bypass AppLocker.
The following command is used to bypass AppLocker:
“cmstp.exe /s c:\programdata\DefenderService.inf”
This bypass is listed in a Github repository here – https://github.com/api0cradle/UltimateAppLockerByPassList#23-cmstpexe
The POWERSTATS payload used in these campaigns has various capabilities:
- Shutdown / Reboot
- Taking screenshots
- Communicating with C&C using custom encryption
- Wipe disk drives
The payload uses various compromised sites as proxy to communicate with Command and Control (C&C). We have pasted some of the proxy list in IOC section.
Second Campaign Targeting Turkey
We came across a spear phish email that appeared to be from mit.gov.tr (National Intelligence Organization of Turkey). The attacker spoofed the sender’s email address “firstname.lastname@example.org” and the email was send on February 12,2018.
The lure of the email stated to check the attached file and gave the MD5 hash code in the email to make it appear legit. The email contains a malicious word document with name “MIT.doc”.
The attached word Document has malicious macro code which is heavily obfuscated and using base64 and XOR operations to decode the code, just like above document. In case of “MIT.doc” the malicious activity is triggered when the document is opened, as subroutine Document_Open()
The macro code then create a directory with name “FirefoxSDK” in “c:\programdata\”. The macro code then drop the base64 encoded Powershell payload (POWERSTATS) to following location: C:\ProgramData\FirefoxSDK\ConfigRegisterSDK.ini.
The macro code then drops a ConfigRegisterSDK.vbs script to location “C:\ProgramData\FirefoxSDK\ConfigRegisterSDK.vbs” and executes it.
The ConfigRegisterSDK.vbs script then executes the POWERSTATS payload. The dropped POWERSTATS Payload has almost same capabilities as described in above campaign targeting IDRBT. We have also found around 500 proxy list URLs which were used to communicate with C&C.
Based on the above information and past research, we can say that the MuddyWater is one of the very active APT group which is/was targeting various government organization of various countries. The group is regularly evolving their techniques, integrating the techniques published in open-source and mixing the methods of infection chain to target various organizations to complicate the attribution and analysis.
Indicators of Compromise
Proxy URL used by POWERSTAT sample