Malware News New PowerShell Backdoor Resembles "MuddyWater" Malware

[silversurfer]

Content source

https://www.securityweek.com/new-powershell-backdoor-resembles-muddywater-malware

A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware.

Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say.

When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content.

The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory.

The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware.

 

[509322]

1. Office macros... Office not installed. Strike one.

2. “C:\Windows\System32\cmd.exe” /k %windir%\System32\reg.exe IMPORT %temp%\B.reg

AppGuard > reg.exe disabled by default & *.reg blocked by default. Strikes two and three.

3. rundll32 %Temp%\png.dll,RunPow

AppGuard > png.dll blocked by default and PowerShell disabled by user. Strikes four and five.

Wow... five layers of defense using common sense and less than 60 seconds of trivial work.

How you like them apples ? Bet your default allow can't match that.

 

[artek]

Ohh let me try.

1. Weird Word doc shows up in my inbox. Do I open? No. Strike One
2. Weird Word doc shows up in my users inbox do they enable macros? No because I've disabled that via group policy. Strike Two.

Applesauce.

 

[RoboMan]

1. Office macros... Office not installed. Strike one.

2. “C:\Windows\System32\cmd.exe” /k %windir%\System32\reg.exe IMPORT %temp%\B.reg

AppGuard > reg.exe disabled by default & *.reg blocked by default. Strikes two and three.

3. rundll32 %Temp%\png.dll,RunPow

AppGuard > png.dll blocked by default and PowerShell disabled by user. Strikes four and five.

Wow... five layers of defense using common sense and less than 60 seconds of trivial work.

How you like them apples ? Bet your default allow can't match that.

Hehe this is the kind of agressive marketing I expect. Well done, now you've attracted my attention to AppGuard

 

[509322]

Hehe this is the kind of agressive marketing I expect. Well done, now you've attracted my attention to AppGuard

It's not marketing. Due to multiple reasons I don't promote AppGuard here. Actually, if you look at the AppGuard threads, most of them are archived. And participation itself on a security forum by a company employee does not meet the criteria of marketing and advertising efforts.

The point is reduction of attack surface combined with default-deny.

The easiest thing to do is to never use Microsoft Office. It's equivalent to supplying no means of detonation to an explosive and will save at least $70 (for those that actually pay). The remaining blocking part of the protection is almost no effort for the user.