A new campaign with the similarities of MuddyWater spotted targetting organizations in Pakistan, Turkey, and Tajikistan. Attackers use various social engineering methods to trick the victims into enabling macros and activate payloads.
Security researchers from TrendMicro spotted the campaign says that “we can assume that there is a connection between these new attacks and the MuddyWater campaign”.
With this campaign, the attacker tries to impersonate government organizations of Tajikistan and the campaign uses similar obfuscation method as like MuddyWater.
In some lure documents payloads were directly embedded inside and some documents contain links that download the malicious payload.
One the payload executes it creates two malicious scripts in the ProgramData directory, obfuscated Visual Basic script(VBS_VALYRIA.DOCT) that executes the obfuscated PowerShell script(TROJ_VALYRIA.PS).
The Obfusticated PowerShell divided into three parts
1. Contains encryption keys and few websites that serve as proxies.
2. Second part the standard RSA encryption.
3. Contains the backdoor function. It communicates with the C&C server and can perform following actions such as clean, reboot, shutdown, screenshot, and upload.
The backdoor collects the infected machine information such as the Operating System name, architecture, domain, network adapter configuration, and username. Communication with C&C server done via XML messages.
Researchers said the attackers “are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: “Stop!!! I Kill You, Researcher.”
How to stay safe – Business Phishing Campaign
1. Have a unique Email address.
2. Do not open any attachments without proper validation.
3. Don’t open emails voluntary emails.
4. Use Spam filters & Antispam gateways.
5. Never respond to any spam emails.
6. verify the vendor.
7. Implement Two-factor Authentication