Recent MuddyWater-Associated BlackWater Campaign Shows Signs of New Anti-Detection Techniques (May 20, 2019)
The Advanced Persistent Threat (APT) group, “MuddyWater,” has been identified to have added some new techniques to their arsenal, according to Cisco Talos researchers. MuddyWaters has been active since at least 2017 and primarily targets entities located in Middle Eastern countries. Researchers identified malicious documents attributed to MuddyWaters, likely delivered via spearphishing emails, that contain a password-protected macro called “BlackWater.bas.” This is done to prevent the macro from being viewed in Visual Basic as an anti-analysis techniques and perhaps to impersonate a penetration team’s tool. The macro contains a PowerShell script to gain persistence in the “Run” registry key and calls a file that appears to be a stager every 300 seconds. The stager then communicates with a MuddyWater-controlled server to “obtain a component of the FruityC2 agent script,” which is an open source, post-exploitation tool.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.