MuddyWater campaign resurfaces with the Powershell-based PRB-Backdoor

Researchers have spotted a new sample of the MuddyWater campaign targeting victims with Microsoft Word documents embedded with a malicious macro. This macro can execute Powershell scripts that could download a malicious backdoor payload.

Trend Micro researchers discovered the new sample in May being delivered via phishing emails.

The MuddyWater campaign was first spotted in 2017 targeting Saudi government and other nations including the United States, Saudi Arabia, Israel, Turkey and Pakistan. Researchers found the new MuddyWater sample in May 2018 that used similar delivery methods and attack methods to the original campaign.

“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself.” Trend Micro researchers said in a report. “The scripts will then be decoded and dropped to execute the payload without needing to download the component files.”

The new lure documents used are disguised as rewards or promotions, rather than the previously used government or telecommunications-related documents. This possibly indicates that the attackers are no longer targeting specific organizations or industries.

“The document is designed to trick users into enabling the macro to view its full content. However, the macro’s true purpose is to allow it to execute malicious routines without the user’s knowledge,” researchers said. “Once the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine if either a new document using the same template is opened or when the template itself is opened as a document0.”

The main PowerShell file invoker.ps1 is used to run the final payload PRB-Backdoor. This malicious backdoor then establishes communication with the C&C server to perform various malicious operations.

The malware is capable of stealing passwords, reading and writing files to the computer, executing shell commands, recording keystrokes, capturing screenshots, gathering system information and updating its functions using commands from the server.

"If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent," researchers said.

"Given the use of lure documents designed with social engineering in mind, it is likely that the attackers use phishing or spam to target users who are unaware of these documents’ malicious nature. Awareness can effectively mitigate or stop these kinds of attacks from being successful."