Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date14/06/2018

Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.

Reference and Credit: Trend Micro - June 2018

Potential MuddyWater Campaign uses PRB-Backdoor

Detected Targets

TypeDescriptionConfidence
CaseEgyptAir
Egyptair is the state-owned flag carrier of Egypt. The airline is headquartered at Cairo International Airport, its main hub, operating scheduled passenger and freight services to 81 destinations in Africa, Europe, Asia, and The Americas. Egyptair is a member of Star Alliance. EgyptAir has been targeted by MuddyWater with abusive purposes.
Verified
RegionEgypt
Medium

Extracted IOCs

  • outl00k[.]net
  • fdb4b4520034be269a65cfaee555c52e
  • 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b
  • hxxp://outl00k[.]net
download

Tip: 4 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 2 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (two cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e

UnknownxHunt Campaign Targets Kuwait's Transportation and Shipping Sectors

Source: Palo Alto Network - September 2019

Detection (one case): outl00k[.]net

MuddyWaterPRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered

Source: Security 0wnage - May 2018

Detection (three cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e, outl00k[.]net

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights