Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2019 > November
2019

MuddyWater

MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region.

The group relied on spear phishing emails with macro infected Word documents in the past (as seen in a previous post) and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.

 

In this post we will look at one of those Excel files used in the latest campaign and identify ways to detect it using RSA NetWitness Network and Endpoint.

 

The following is the file used in this article:

Filename

SHA256

Report.xls

905e3f74e5dcca58cf6bb3afaec888a3d6cb7529b6e4974e417b2c8392929148

 

 

 

Execution

In a real attack, the file would be delivered via email to its target. In our case, we will manually execute it.

This particular sample must be named “Report.xls” or would fail to execute.

By opening the file, the user will get the following message telling him to enable editing and content. This is to trick the user into enabling Macros.

 

 

Once content is enabled, the following 2 files are dropped in “C:\Users\<user>\AppData\Local\Temp”.

 

 

 

 

 

Endpoint Visibility

By leveraging RSA NetWitness Endpoint, we can quickly see that Excel, even though a known legitimate file, has an elevated risk score based on its behavior.

 

 

 

By tracking the events on the endpoint, we can see the below behaviors:

 

  1. Excel creates the “wucj.exe” file
  2. The “wucj.exe” file is executed
  3. “wucj.exe” loads the “zdrqgswu” file, which appears to be a VB script, which leads to 2 network connections over TCP/80 to the “ampacindustries.com” domain.

 

 

By looking at the registry changes done by Excel, we can also see that a key has been created to run at startup for persistence after reboots.

 

 

 

If we look more closely at the “wucj.exe” file, we can notice that it is a known and valid Microsoft file. We can confirm this by searching for the hash on VirusTotal. The file is actually “wscript.exe” used to load VB scripts (which is in line with the behavior seen).

 

 

 

 

Network Visibility

In the previous steps, we have seen that the VB script has initiated a connection over TCP/80 to the “ampacindustries.com” domain.

If we look at the details of this network connection on RSA NetWitness Network, we can see that the domain is hitting one of the Threat Intelligence feeds.

 

 

If we then reconstruct the session to look at the raw data, we can identify that the malware is sending within the HTTP GET Request:

  • The username: rsa
  • The hostname: DEMO-USER-1
  • The Operating System: Windows (32-bit) NT 6.01

 

 

 

 

 

 

Indicators of Compromise

The following are some additional indicators that can be used to detect the presence of a compromise.

 

File Hashes

Filename

Hash

Report.xls

7ed6c5e8c3ec4f9499eb793d69a06758

Report.xls

b100c0cfbe59fa66cbb75de65c505ce2

Report.xls

b9ee416f2d9557be692abf448bf2f937

Report.xls

a9706c01de9364eab210ea73296bfe71

Report.xls

1cd71f39ff9fb3bf269440b63c717195

Report.xls

50ac74eb38d6fa07d9f5e788d61a92cd

Report.xls

4022bbb9df5d86226bd9a89f361c94b9

Report.xls

584479a1958a73720c4aebb52c59b21e

Report.xls

269afae11cc9837e732019a03fa02fab

Report.xls

32156247f900883d5106795ec103a624

Report.xls

e18228bee6f1cf12eaf1bb4d5be587bf

Report.xls

5ef459908d5be0672b02cdfe4f606989

Report.xls

66c783e41480e65e287081ff853cc737

Report.xls

2c3a634953a9a2c227a51e8eeac9f137

Report.xls

9d0bfb81f450de8364327a4aaa67d9b3

Report.xls

46f911014f1202e17936f627f34e6165

 

 

Command & Control Domains

URLs

hxxp://graphixo.net/wp-includes/utf8.php

hxxp://ksahosting.net/wp-includes/utf8.php

hxxps://assignmenthelptoday.com/wp-includes/utf8.php

hxxps://annapolisfirstlimo.com/editob.nvd

hxxp://ampacindustries.com/css/utf8.php

APT33 is a state-sponsored group suspected to be linked to Iran. It has been active since 2013 and has targeted organizations in the aviation and energy sectors mainly across the United States and the Middle East regions.

The group has recently been seen using private VPN networks with changing exit nodes to issue commands and collect data to and from their C&C servers.

 

In this post we will look at one of the malware files used within those campaigns and identify ways to detect it using RSA NetWitness Network and Endpoint.

 

The following is the file used in this article:

Filename

SHA256

MsdUpdate.exe

e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd

 

This specific sample is rather basic in terms of behavior, but provides both persistence to the attacker, as well as the ability to deploy other malicious files.

 

 

 

Endpoint Visibility

By leveraging RSA NetWitness Endpoint, we can easily identify files and processes that have an elevated risk score due to their behavior. In the below screenshot, we can clearly see that the file “MsdUpdate.exe” stands out due to both its risk score and its reputation (identified as “Malicious”). In addition, we can see that the file is not signed by any valid or trusted certificate.

 

 

 

By drilling into the "MsdUpdate.exe" process, we can see in the next screenshot the different actions done by the process:

  1. It modifies the registry
  2. It communicates over the network with the “simshoshop.com” domain
  3. It copies itself to “C:\Users\<user>\Roaming\MSDUpdate\MsdUpdate.exe”

 

 

 

 

If we look in more details at the registry changes done by the file, as per the below screenshot, we can see that it modified the “Run” key to run itself at startup. This is done for persistence for the attacker to maintain access after a reboot of the machine.

 

 

 

 

Network Visibility

As seen in the previous step, we have been able to identify that the malicious file has communicated with the “simsoshop.com” domain. By drilling into this on the Network component we can look at more details regarding this network connection.

Based on the below screenshot we can see:

  • 4 different sessions separated exactly by 10 min each, which indicates a programmatic behavior typical of beaconing activity
  • All sessions are posting data to a file named “update.php”, which also suspiciously looks like beaconing

 

 

 

 

We can then reconstruct the payload of any of the above sessions to look at its content and confirm that this is indeed beaconing activity.

As seen below, we can confirm that the query is updating an entry with a payload in hexadecimal (most likely encoded).

 

 

 

 

This shows how RSA NetWitness Network and Endpoint can help in quickly detecting, identifying and investigating such attacks based on both activity on both the endpoint and the network,

 

 

 

 

Indicators of Compromise

The following are some additional indicators that can be used to detect the presence of this malware.

 

File Hashes

Filename

SHA256

MsdUpdate.exe

e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd

MsdUpdate.exe

a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449

MsdUpdate.exe

c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2

MsdUpdate.exe

b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e

 

 

Command & Control Domains

Domain

suncocity.com

service-explorer.com

zandelshop.com

service-norton.com

simsoshop.com

service-eset.com

zeverco.com

service-essential.com

qualitweb.com

update-symantec.com

 

 

IP Addresses

IP Address

5.135.120.57

137.74.80.220

5.135.199.25

137.74.157.84

31.7.62.48

185.122.56.232

51.77.11.46

185.125.204.57

54.36.73.108

185.175.138.173

54.37.48.172

188.165.119.138

54.38.124.150

193.70.71.112

88.150.221.107

195.154.41.72

91.134.203.59

213.32.113.159

109.169.89.103

216.244.93.137

109.200.24.114

 

Filter Blog

By date: By tag: