Halim Abouzeid

Detecting a MuddyWater APT using the RSA NetWitness Platform

Blog Post created by Halim Abouzeid Employee on Nov 21, 2019

MuddyWater

MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region.

The group relied on spear phishing emails with macro infected Word documents in the past (as seen in a previous post) and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.

 

In this post we will look at one of those Excel files used in the latest campaign and identify ways to detect it using RSA NetWitness Network and Endpoint.

 

The following is the file used in this article:

Filename

SHA256

Report.xls

905e3f74e5dcca58cf6bb3afaec888a3d6cb7529b6e4974e417b2c8392929148

 

 

 

Execution

In a real attack, the file would be delivered via email to its target. In our case, we will manually execute it.

This particular sample must be named “Report.xls” or would fail to execute.

By opening the file, the user will get the following message telling him to enable editing and content. This is to trick the user into enabling Macros.

 

 

Once content is enabled, the following 2 files are dropped in “C:\Users\<user>\AppData\Local\Temp”.

 

 

 

 

 

Endpoint Visibility

By leveraging RSA NetWitness Endpoint, we can quickly see that Excel, even though a known legitimate file, has an elevated risk score based on its behavior.

 

 

 

By tracking the events on the endpoint, we can see the below behaviors:

 

  1. Excel creates the “wucj.exe” file
  2. The “wucj.exe” file is executed
  3. “wucj.exe” loads the “zdrqgswu” file, which appears to be a VB script, which leads to 2 network connections over TCP/80 to the “ampacindustries.com” domain.

 

 

By looking at the registry changes done by Excel, we can also see that a key has been created to run at startup for persistence after reboots.

 

 

 

If we look more closely at the “wucj.exe” file, we can notice that it is a known and valid Microsoft file. We can confirm this by searching for the hash on VirusTotal. The file is actually “wscript.exe” used to load VB scripts (which is in line with the behavior seen).

 

 

 

 

Network Visibility

In the previous steps, we have seen that the VB script has initiated a connection over TCP/80 to the “ampacindustries.com” domain.

If we look at the details of this network connection on RSA NetWitness Network, we can see that the domain is hitting one of the Threat Intelligence feeds.

 

 

If we then reconstruct the session to look at the raw data, we can identify that the malware is sending within the HTTP GET Request:

  • The username: rsa
  • The hostname: DEMO-USER-1
  • The Operating System: Windows (32-bit) NT 6.01

 

 

 

 

 

 

Indicators of Compromise

The following are some additional indicators that can be used to detect the presence of a compromise.

 

File Hashes

Filename

Hash

Report.xls

7ed6c5e8c3ec4f9499eb793d69a06758

Report.xls

b100c0cfbe59fa66cbb75de65c505ce2

Report.xls

b9ee416f2d9557be692abf448bf2f937

Report.xls

a9706c01de9364eab210ea73296bfe71

Report.xls

1cd71f39ff9fb3bf269440b63c717195

Report.xls

50ac74eb38d6fa07d9f5e788d61a92cd

Report.xls

4022bbb9df5d86226bd9a89f361c94b9

Report.xls

584479a1958a73720c4aebb52c59b21e

Report.xls

269afae11cc9837e732019a03fa02fab

Report.xls

32156247f900883d5106795ec103a624

Report.xls

e18228bee6f1cf12eaf1bb4d5be587bf

Report.xls

5ef459908d5be0672b02cdfe4f606989

Report.xls

66c783e41480e65e287081ff853cc737

Report.xls

2c3a634953a9a2c227a51e8eeac9f137

Report.xls

9d0bfb81f450de8364327a4aaa67d9b3

Report.xls

46f911014f1202e17936f627f34e6165

 

 

Command & Control Domains

URLs

hxxp://graphixo.net/wp-includes/utf8.php

hxxp://ksahosting.net/wp-includes/utf8.php

hxxps://assignmenthelptoday.com/wp-includes/utf8.php

hxxps://annapolisfirstlimo.com/editob.nvd

hxxp://ampacindustries.com/css/utf8.php

Outcomes