Muddy Water is a suspected Iranian advanced persistent threat group who targets primarily the Middle East and South East Asia for espionage purposes whose targets also include India, Pakistan and the United States.
Over the last year the group has been quite active, however their tactics have not changed across their cyber campaign which allows us to track them effectively. In their most recent attempt the document named “President.doc” impersonates the Islamic Public of Afghanistan, it was recently submitted to Virustotal and based on metadata and contents of the document, created on September 5th2018.
Similarly to past decoy documents, Muddy Water implements social engineering tactics to persuade the user to enable document macros which further infect the victim.
When the user enables the content, Visual Basic for Application code runs, which creates several files on the host machine.
C:\ProgramData\OfficeService.html –> INF File
C:\ProgramData\OfficeService.ini –> encoded PowerShell script
C:\ProgramData\OfficeService.zip –> encoded JavaScript file
The files along with the macro code is typically heavily obfuscated to deter analysis but the files, just as with its predecessors utilize Daniels Bohannon’s obfuscation framework to encode the dropped artifacts. The process is easily reversed using the PowerShell Debugger.
In summary when the malware is executed it provides previously seen functionality such as;
- Drop files to the file system
- Query the host for system information
- Modify Visual Basic settings
- Modify Office Macro security settings
- Employs sleep timers
- Checked if process is being debugged
- Complies C# or VB.net code
- Command support such as Restart / Shutdown
The malware will also create a scheduled task and registry hooks to remain persistent on the host machine in the event of a system restart.
Scheduled Task:
C:\Windows\system32\schtasks.exe’ /Create /F /SC DAILY /ST 12:00 /TN MicrosoftOfficeService /TR ‘c:\\windows\\system32\\rundll32.exe advpack.dll,LaunchINFSection C:\\ProgramData\\OfficeService.html,OfficeService,1,’
Registry Run Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeService
Similarly to previous examples of this threat, the malware then calls out to a series of compromised hosts such as worthhappiness[.]comand marcel-delhez[.]euthat act as a proxy to conceal the address of the real command and control server.
In this attack we were unable to uncover the initial threat infection vector but in recent campaigns spear-phishing were used and is a likely component in this attack. Although social engineering does play a role parties should exercise due care when opening emails from unexpected or unlikely sources. Also, in most cases office macros should be disabled by default to limit the effectiveness of this threat.
IOCs
SHA256 | Filename |
f2f573af0f76fe0f21bbe630a4bb50b1c1836eb24429bfb8c93673276f27e374 | President.doc |
5D1D4C4B0A5985C92EAEF3F3F4B78F8A0CF8C6FA24B55F7EF89C661EF72675AE | OfficeService.zip |
F04DC1AECF9E81807433F81D5BCBAB87AFF45121A61E130A1A3FAF0E3C6556EE | OfficeService.html |
ABD822964683695B5CF3700E757054B881A39AA77423AF39428B80BCFAD69C49 | OfficeService.ini |