A resurgence of last year’s ‘MuddyWater’ threat campaign may be targeting organizations in Pakistan, Turkey and Tajikistan as part of a round of espionage activities
Trend Micro researcher Jaromir Horejsi posted a blog about the attacks this week. In it he claims that the latest campaigns bear similarities to last year’s activities.
In 2017 the MuddyWater campaign used decoy documents such mimicking government organisations including the NSA. The targeted countries included India, Pakistan, Georgia, Iraq, Israel, Saudi Arabia, Turkey, the United Arab Emirates and the United States.
It dropped both Visual Basic files and PowerShell files in order to gain backdoor access to their targets.
This year’s campaign uses decoy documents to mimic government organizations including the Ministry of Internal Affairs of the Republic of Tajikistan. The infection process uses both Visual Basic and PowerShell file droppers; and in both cases hacked websites are used as proxies.
“Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,”Horejsi says.
Trend Micro research found that one of the latest delivery documents uses text and filenames in the Tajik language. This is to target people working for government organizations and telecommunications firms in Tajikistan.
Another document is designed to look like a dissatisfaction form sent to telecommunications companies.
“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked. There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same,” Horejsi explains.
The enclosed backdoor collects the infected machine’s IP address, operating system name, architecture domain, network adapter configuration, and the username.
Attackers may be monitoring infected machines’ incoming connections to their command & control server – evident by personalized messaging in some cases.
“Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing,” Horejsi notes.
“Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.”