Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload
- Actor Motivations: Espionage
- Attack Vectors: Backdoor,Malicious Macro
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.
Detected Targets
Type | Description | Confidence |
---|---|---|
Case | EgyptAir Egyptair is the state-owned flag carrier of Egypt. The airline is headquartered at Cairo International Airport, its main hub, operating scheduled passenger and freight services to 81 destinations in Africa, Europe, Asia, and The Americas. Egyptair is a member of Star Alliance. EgyptAir has been targeted by MuddyWater with abusive purposes. | Verified |
Region | Egypt | Medium |
Extracted IOCs
- outl00k[.]net
- fdb4b4520034be269a65cfaee555c52e
- 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b
- hxxp://outl00k[.]net
Tip: 4 related IOCs (0 IP, 1 domain, 1 URL, 0 email, 2 file hash) to this threat have been found.
Overlaps
Source: Picussecurity - March 2022
Detection (two cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e
Source: Palo Alto Network - September 2019
Detection (one case): outl00k[.]net
Source: Security 0wnage - May 2018
Detection (three cases): 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b, fdb4b4520034be269a65cfaee555c52e, outl00k[.]net
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.