MuddyWater APT Uses GitHub and Imgur to Deploy Cobalt Strike Beacon
Just after Christmas (December 25), a security researcher going by the Twitter handle of @Arkbird_SOLG, posted details of what appears to be an attack chain that began with a malicious Word document.
Since then, Arkbird and multiple subsequent researchers have attributed this attack to the MuddyWater APT (Advanced Persistent Threat) group.
MuddyWater activity was first discovered in 2017, primarily targeting entities involved in oil, telecommunications and government in Middle Eastern nations as well as some European and North American countries. MuddyWater is believed to be Iran-based, state-sponsored and is also known as SeedWorm and TEMP.Zagros.
What Is It?
The attack chain begins with a Microsoft Word document containing a malicious macro. The document utilizes the oft used social engineering technique of claiming that the embedded file was “edited in a different version of Microsoft Word” and “To load the document, please Enable Content.” If a recipient is convinced to “Enable Content,” the embedded macro executes a PowerShell script in a hidden window. This script then downloads and executes another PowerShell script hosted on a Github account. At the time of writing, this hosted PowerShell script is only detected by one of the sixty products on VirusTotal.
Once executed, the PowerShell script then downloads what appears to be a harmless Portable Network Graphic (PNG) image file with four icons. However, the script utilizes a process known as steganography to perform calculations on the pixel values of the image file to extract code for the final payload, a Cobalt Strike beacon script. While Cobalt Strike is a legitimate tool used for penetration testing and often leveraged by attackers, a Cobalt Strike beacon creates a system backdoor.
There is one more trick in this attack chain. Once decoded, the shellcode contained in the Cobalt Strike payload contains an European Institute for Computer Antivirus Research (EICAR) test string. This specific string is used to test whether signature-based malware detection tools are functioning correctly. In the MuddyWater APT attack the intent is to make it appear to signature-based detection tools and the SOC teams reviewing the alerts generated by such tools that the payload is for testing and not malicious. This technique is not unique, but it is not frequently used. The timing of this attack during a holiday and vacation season suggests the attackers are attempting to capitalize on reduced SOC and higher-level security team’s capacity so that their payload might be dismissed as an EICAR test.
The combined use of the techniques described above is consistent with evidence that an APT group perpetrated this attack.
How Does It Propagate?
This malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is malicious Word document attachments containing macros.
When/How Did BluVector Detect It?
Two malicious Word document samples and the PowerShell script downloaded from GitHub are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the Word document samples would have both been detected 82 months prior to their release. The PowerShell script downloaded from GitHub, which at the time of writing is only detected by one of the sixty products on VirusTotal, would have been detected by BluVector 15 months prior to its release.