MuddyWater APT Group Targeted India and Turkey

map1

Our Intelligence Labs Team recently came across various malicious documents and spear-phishing emails targeting India and Turkey via macro-enabled Word document. Our research lab has attributed these campaigns to MuddyWater APT group.

MuddyWater is an APT group that has been very active throughout 2017, targeting various regions like Middle East, India, USA, Pakistan, etc. as describes in a blog published by Palo Alto Networks: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/. According to the blog, the attacks by the group are characterized by use of Powershell-based backdoor named “POWERSTATS” and confusion in attack attribution, hence the name MuddyWater.

Campaign Targeting India

The first document that we came across in this campaign, was a malicious DOCX document (bf310319d6ef95f69a45fc4f2d237ed4) which contained the name of IDRBT (Institute for Development and Research in Banking Technology) to lure the victims into running macro code. The sample was first uploaded to VT on 27 Feb,2017 from India.

muddy_img1

Malicious lure document claiming to be from IDRBT

Technical Analysis

The document has password protected macro code to complicate manual analysis. The macro code is heavily obfuscated and employs base64 and XOR operations to decode the code. The macro code first drops base64 encoded Powershell payload (POWERSTAT) to the following location:
c:\programdata\WindowsDefender.ini

muddy_img2

The macro code then drops a COM Script which executes the encoded Powershell payload. The location of the dropped COM Script is:
c:\programdata\Defender.sct.

muddy_img3

At last, the macro drops DefenderService.inf file here:
c:\programdata\DefenderService.inf

muddy_img4

The Macro code then use legit cmstp.exe process and pass dropped DefenderService.inf file as input to bypass AppLocker.
The following command is used to bypass AppLocker:
"cmstp.exe /s c:\programdata\DefenderService.inf"

This bypass is listed in a Github repository here - https://github.com/api0cradle/UltimateAppLockerByPassList#23-cmstpexe

The POWERSTATS payload used in these campaigns has various capabilities:
  • Shutdown / Reboot
  • Taking screenshots
  • Communicating with C&C using custom encryption
  • Wipe disk drives


The payload uses various compromised sites as proxy to communicate with Command and Control (C&C). We have pasted some of the proxy list in IOC section.

Second Campaign Targeting Turkey

We came across a spear phish email that appeared to be from mit.gov.tr (National Intelligence Organization of Turkey). The attacker spoofed the sender’s email address “irtibat@mit.gov.tr” and the email was send on February 12,2018.

The lure of the email stated to check the attached file and gave the MD5 hash code in the email to make it appear legit. The email contains a malicious word document with name “MIT.doc”.

muddy_img5

Spam Email



muddy_img6

Malicious Document 



Technical Analysis

The attached word Document has malicious macro code which is heavily obfuscated and using base64 and XOR operations to decode the code, just like above document. In case of “MIT.doc” the malicious activity is triggered when the document is opened, as subroutine Document_Open() is called.

The macro code then create a directory with name “FirefoxSDK” in “c:\programdata\”. The macro code then drop the base64 encoded Powershell payload (POWERSTATS) to following location:
C:\ProgramData\FirefoxSDK\ConfigRegisterSDK.ini.

The macro code then drops a ConfigRegisterSDK.vbs script to location “C:\ProgramData\FirefoxSDK\ConfigRegisterSDK.vbs” and executes it.

muddy_img7

The ConfigRegisterSDK.vbs script then executes the POWERSTATS payload. The dropped POWERSTATS Payload has almost same capabilities as described in above campaign targeting IDRBT. We have also found around 500 proxy list URLs which were used to communicate with C&C.

Conclusion

Based on the above information and past research, we can say that the MuddyWater is one of the very active APT group which is/was targeting various government organization of various countries. The group is regularly evolving their techniques, integrating the techniques published in open-source and mixing the methods of infection chain to target various organizations to complicate the attribution and analysis.

Indicators of Compromise

Proxy URL used by POWERSTAT sample

  • hxxp://bursabitkisel.com/configphp/db_template.php
  • hxxp://2atohumculuk.com/upload/files/besin-maddesi-noksanliklari/db_template.php
  • hxxp://2atohumculuk.com/upload/files/db_template.php
  • hxxp://2mmglobal.com//db_template.php
  • hxxp://2mmglobal.com/css/db_template.php
  • hxxp://59emlak.gen.tr/Admin/upload_resim/db_template.php
  • hxxp://59emlak.gen.tr/site_flash/db_template.php
  • hxxp://adaliprefabrik.com//db_template.php
  • hxxp://adaliprefabrik.com/upload/db_template.php
  • hxxp://agrogen.com.tr//db_template.php
  • hxxp://agrogen.com.tr/stats/db_template.php
  • hxxp://akaycelik.com//db_template.php
  • hxxp://akcaymesrubat.com/ckeditor/plugins/dialog/db_template.php
  • hxxp://akkalegida.com/hemphpmail/db_template.php
  • hxxp://akoglumesrubat.com/ckfinder/Images/db_template.php
  • hxxp://akoglumesrubat.com/themes/db_template.php
  • hxxp://alizemimarlik.com.tr/scripts/db_template.php
  • hxxp://animallantalya.com//db_template.php
  • hxxp://ankamesrubat.com/fancybox/db_template.php
  • hxxp://antkriko.com/font-awesome/less/db_template.php
  • hxxp://antkriko.com/font-awesome/css/db_template.php
  • hxxp://asduru.com.tr//db_template.php
  • hxxp://atascelikyapi.com/ckeditor/adapters/db_template.php
  • hxxp://atascelikyapi.com/upload/flash/db_template.php
  • hxxp://ayterm.com/oneml_eski/db_template.php
  • hxxp://ayterm.com/animasyon/db_template.php

MD5 Hashes

  • 7beb94f602e97785370fec2d059d54a5
  • e0569b2defa24ef5478828ae9aa200f5
  • e6aa04265dba3a9cf511de8914bb2163
  • bf310319d6ef95f69a45fc4f2d237ed4
  • 3b4b761bd796d1b09dce1bbc4b62fb9d
  • 19c28fc2a8ac8a9a9032603d816b3076



Prevent Cyber Attacks with advance intelligence