Researchers discovered a “Blackwater” malware campaign that suspected to associated with well known MuddyWater APT bypass the security control and install a backdoor on Victims PC using MuddyWater’s tactics, techniques, and procedures (TTPs).
MuddyWater involved with a various cyber attack in recent past and its spotted to targeting organizations in Pakistan, Turkey, and Tajikistan using multiple social engineering methods to trick the victims into enabling macros and activate payloads.
Blackwater campaign believed to be a new arsenal of MuddyWater APT since the activities indicate that the threat actors applied many tactics within it to improve its operational security and avoid endpoint detection.
Threat actors using Obfuscated VBA script to establish the persistence mechanism and the VBA script triggered a PowerShell stager, also its a type of method to masquerade as a red-teaming tool.
Backwater also employed a FruityC2 agent script, an open-source framework on GitHub by letting PowerShell stager communicate with C2 server to enumerate the host machine further.
It is one of the methods threat actors employed to make host-based detection more difficult and avoid signature-based detection from Yara rules.
Researchers discovered a weaponized document which is being sent to victims via phishing emails with the time stamp that indicates that the document created date on April 23.
Once victims open the malicious document, it required the user to enable the Macro titled “BlackWater.bas”
Threat actors also employed an anti-reverse technique by protecting Macro with a password to inaccessible if a user attempted to view the Macro in Visual Basic.
According to Talos Research, “The macro contains a PowerShell script to persist in the “Run” registry key, “KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding”.
The script then called the file “\ProgramData\SysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.”
This PowerShell agent was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey.
In Blackwater campaign, threat actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file.
Finally PowerShell script Will enumerate the Targeted victims machine to querying following information.
Once its enumerate all the information, It proposes the URL post request to a C2 with base64-encoded, whereas in previous versions this information was written to a text file.
hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE=
Later it decode the enumerated data and obtain the stolen data From Victims
hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PC\admin*192.168.000.01
Hashes
0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad
9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7
0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2
A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da91
6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad
Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6
B2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93
4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60
576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf
062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717
URLs
hxxp://38[.]132[.]99[.]167/crf.txt
hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater
hxxp://82[.]102[.]8[.]101/bcerrxy.php?
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php
hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/
hxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df
hxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh
hxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Also Read:
Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…