silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.
According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware.
Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say.
When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content.
The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory.
The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware.