MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region.
The group relied on spear phishing emails with macro infected Word documents in the past (as seen in a previous post) and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.
In this post we will look at one of those Excel files used in the latest campaign and identify ways to detect it using RSA NetWitness Network and Endpoint.
The following is the file used in this article:
In a real attack, the file would be delivered via email to its target. In our case, we will manually execute it.
This particular sample must be named “Report.xls” or would fail to execute.
By opening the file, the user will get the following message telling him to enable editing and content. This is to trick the user into enabling Macros.
Once content is enabled, the following 2 files are dropped in “C:\Users\<user>\AppData\Local\Temp”.
By leveraging RSA NetWitness Endpoint, we can quickly see that Excel, even though a known legitimate file, has an elevated risk score based on its behavior.
By tracking the events on the endpoint, we can see the below behaviors:
- Excel creates the “wucj.exe” file
- The “wucj.exe” file is executed
- “wucj.exe” loads the “zdrqgswu” file, which appears to be a VB script, which leads to 2 network connections over TCP/80 to the “ampacindustries.com” domain.
By looking at the registry changes done by Excel, we can also see that a key has been created to run at startup for persistence after reboots.
If we look more closely at the “wucj.exe” file, we can notice that it is a known and valid Microsoft file. We can confirm this by searching for the hash on VirusTotal. The file is actually “wscript.exe” used to load VB scripts (which is in line with the behavior seen).
In the previous steps, we have seen that the VB script has initiated a connection over TCP/80 to the “ampacindustries.com” domain.
If we look at the details of this network connection on RSA NetWitness Network, we can see that the domain is hitting one of the Threat Intelligence feeds.
If we then reconstruct the session to look at the raw data, we can identify that the malware is sending within the HTTP GET Request:
- The username: rsa
- The hostname: DEMO-USER-1
- The Operating System: Windows (32-bit) NT 6.01
Indicators of Compromise
The following are some additional indicators that can be used to detect the presence of a compromise.
Command & Control Domains