Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.
“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.
“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”
MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.
The malicious documents associated with this last wave of attacks had been tailored according to the target regions.
Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.
Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.
The hackers maintained the same final payload while changing delivery methods between attacks.
“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.
The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.
In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.
“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.
The experts managed a number of GitHub repositories related to their malware.
The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.
“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.
According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.
Threat actors might have planted a false flag to make hard the attribution.
“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.
(Security Affairs – MuddyWater , APT)