MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools (Jun 10, 2019)
Trend Micro researchers have identified an unspecified number of malicious campaigns believed to be conducted by the Advanced Persistent Threat (APT) group, “MuddyWater.” One of the campaigns was found to consist of spearphishing emails being distributed “to a university in Jordan and the Turkish government.” The emails were distributed from authentic accounts that were compromised by the group to increase the chances that a recipient would open the attached Microsoft Word document. Researchers found that the objective of the email was to convince recipients to open the attachment that contains an embedded macro that, if enabled, will begin the infection process for a new backdoor dubbed “POWERSTATS v3.”
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.