silversurfer
Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
- Aug 17, 2014
- 12,736
- 123,873
- 8,399
The Iranian-backed MuddyWater cyber-espionage group is continuously upgrading and improving its tools lately, with the group's POWERSTATS backdoor being the last to receive an update.
While previously MuddyWater deployed their PowerShell-based Windows backdoor during their attacks' first stages as described by Palo Alto Networks' Unit 42 in 2017, this time the malicious tool is used during the infection process' second stage.
The updated backdoor
As TrendMicro's researchers discovered while analyzing MuddyWater campaigns, an updated version of the backdoor dubbed POWERSTATS v3 capable of taking screenshots, execute commands and PowerShell code, is being dropped on already compromised machines during later stages of the attacks.
The infection's second stage is delivered from compromised servers controlled by the hacking group and will only be deployed to machines that the threat group considers interesting.
"A second stage attack can be launched by commands sent to a specific victim in an asynchronous way, e.g., another backdoor payload can be downloaded and installed to targets that they are interested in," according to the TrendMicro research team.
POWERSTATS v3 screenshot feature
Attacks' first stage
During the initial attack stage, the hackers would attempt to infect their targets using Microsoft Word documents with malicious macros delivered via spear-phishing e-mails.
Once executed on the victims' machines, the macros drop a Microsoft Script Encoder encoded VBE file which contains an obfuscated PowerShell script which collects operating system (OS) information and saves it to a log file.
"This file will be uploaded to the command and control (C&C) server. Each victim machine will generate a random GUID number, which will be used for machine identification," says Trend Micro's research team.
"Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process."
Spear-phishing email
