Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date12/05/2018

PRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

This report investigates the PRB-Backdoor, a powerful and multifunctional piece of malware suspected to be associated with the MuddyWater group. The malware is deployed via a macro-enabled Word document, utilizing PowerShell scripts for execution. It employs obfuscation techniques to conceal its activities and communicates with a command and control server over HTTP. The backdoor has a plethora of functionalities, including keylogging, screen capturing, system information collection, and password theft. The backdoor seems to be new and unique, with no references found in any public source.

Reference and Credit: Security 0wnage - May 2018

PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions

Detected Targets

TypeDescriptionConfidence
CaseEgyptAir
Egyptair is the state-owned flag carrier of Egypt. The airline is headquartered at Cairo International Airport, its main hub, operating scheduled passenger and freight services to 81 destinations in Africa, Europe, Asia, and The Americas. Egyptair is a member of Star Alliance. EgyptAir has been targeted by MuddyWater with abusive purposes.
Verified
RegionEgypt
Medium

Extracted IOCs

  • linledin[.]net
  • outl00k[.]net
  • simon.nitoo@chmail[.]ir
  • fdb4b4520034be269a65cfaee555c52e
  • 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b
  • 5[.]160.124.99
  • 74[.]91.19.118
download

Tip: 7 related IOCs (2 IP, 2 domain, 0 URL, 1 email, 2 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (two cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e

UnknownxHunt Campaign Targets Kuwait's Transportation and Shipping Sectors

Source: Palo Alto Network - September 2019

Detection (two cases): 74[.]91.19.118, outl00k[.]net

MuddyWaterEvolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload

Source: Trend Micro - June 2018

Detection (three cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e, outl00k[.]net

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights