Saturday, December 2, 2023

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs).

MuddyWater involved with a various cyber attack in recent past and its spotted to targeting organizations in Pakistan, Turkey, and Tajikistan using multiple social engineering methods to trick the victims into enabling macros and activate payloads.

Blackwater campaign believed to be a new arsenal of MuddyWater APT since the activities indicate that the threat actors applied many tactics within it to improve its operational security and avoid endpoint detection.

Threat actors using Obfuscated VBA script to establish the persistence mechanism and the VBA script triggered a PowerShell stager, also its a type of method to masquerade as a red-teaming tool.

Backwater also employed a FruityC2 agent script, an open-source framework on GitHub by letting PowerShell stager communicate with C2 server to enumerate the host machine further.

It is one of the methods threat actors employed to make host-based detection more difficult and avoid signature-based detection from Yara rules.

BlackWater Infection Process

Researchers discovered a weaponized document which is being sent to victims via phishing emails with the time stamp that indicates that the document created date on April 23.

Once victims open the malicious document, it required the user to enable the Macro titled “BlackWater.bas”

Threat actors also employed an anti-reverse technique by protecting Macro with a password to inaccessible if a user attempted to view the Macro in Visual Basic.

According to Talos Research, “The macro contains a PowerShell script to persist in the “Run” registry key, “KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding”.

The script then called the file “\ProgramData\SysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.”

This PowerShell agent was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey.

In Blackwater campaign, threat actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file.

Finally PowerShell script Will enumerate the Targeted victims machine to querying following information.

  • Operating system’s name (i.e., the name of the machine)
  • Operating system’s OS architecture
  • Operating system’s caption
  • Computer system’s domain
  • Computer system’s username
  • Computer’s public IP address

Once its enumerate all the information, It proposes the URL post request to a C2 with base64-encoded, whereas in previous versions this information was written to a text file.


Later it decode the enumerated data and obtain the stolen data From Victims

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\admin*

Indicators of compromise





You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

MuddyWater Malware Attack Launch PowerShell Script to Open Backdoor in Windows PC via MS Word Document


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles