# New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools **[blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/)** to-muddywater-tools/ Jaromir Horejsi (Threat Researcher) November 30, 2018 [Home » Malware » New PowerShell-based Backdoor Found in Turkey, Strikingly Similar](https://blog.trendmicro.com/trendlabs-security-intelligence/) to MuddyWater Tools [0](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/#respond) MuddyWater is a well-known threat actor group that has been active since 2017. They target groups across Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. Most recently they were connected to a campaign in March that targeted [organizations in Turkey, Pakistan, and Tajikistan .](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) The group has been quite visible since the initial 2017 [Malwarebytes report on their elaborate espionage attack](https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/) against the Saudi Arabian government. After that first [report, they were extensively analyzed by other security](https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/) companies. Through all that, we’ve only seen minor changes to the tools, techniques and procedures (TTPs) they have used. However, we recently observed a few interesting delivery documents similar to the known MuddyWater TTPs. These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey. Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider. The screenshots below show the malicious attachments, which are disguised to look real, similar to any typical phishing document. The images show blurry logos that we’ve identified as belonging to various Turkish government organizations — the logos add to the disguise and lure users into believing the documents are legitimate. Then the document notifies users that it is an “old version” and prompts them to enable macros to display the document properly. If the targeted victims enable macros, then the malicious process continues. ----- _Figure 1. Fake Office document tries to get user to enable malicious macros. The blurred_ _document contains logos of different Turkish government entities_ ----- _institution related to taxes_ The macros contain strings encoded in base52, which is rarely used by threat actors other than MuddyWater. The group is known to use it to encode their PowerShell backdoor. After enabling macros, a .dll file (with a PowerShell code embedded) and a .reg file are dropped into %temp% directory. The macro then runs the following command: “C:\Windows\System32\cmd.exe” /k %windir%\System32\reg.exe IMPORT %temp%\B.reg Running this registry file adds the following command to the Run registry key: rundll32 %Temp%\png.dll,RunPow _Figure 3. Run registry key_ We assume that RunPow stands for “run PowerShell,” and triggers the PowerShell code embedded inside the .dll file. The PowerShell code has several layers of obfuscation. The first layer contains a long base64 encoded and encrypted code with variables named using English curse words. _Figure 4. Encrypted PowerShell code_ The other layers are simple obfuscated PowerShell scripts. But the last layer is the main backdoor body. This backdoor has some features similar to a previously discovered version of the Muddywater backdoor. Firstly, this backdoor collects the system information and concatenates various pieces of information into one long string. The data retrieved includes: OS name, domain name, user name, IP address, and more. It uses the separator “::” between each piece of information. ----- _Figure 5. String of system information collected from the victim’s system_ The previous MuddyWater version collected similar information but used a different separator: _Figure 6. String of system information_ _collected from the victim’s system, from_ _older Muddywater backdoor sample_ As mentioned above, another difference between this and older Muddywater backdoors is that C&C communication is done by dropping files to the cloud provider. When we analyzed further, we saw that the communication methods use files named with various extensions_ depending on the purpose of the file. **.cmd – text file with a command to execute** **.reg – system info as generated by myinfo() function, see screenshot above** **.prc – output of the executed .cmd file, stored on local machine only** **.res – output of the executed .cmd file, stored on cloud storage** _Figure 7. Example of .cmd file content_ _Figure 8. Example of .reg file content_ ----- _Figure 9.Example of .res file content_ In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command. The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command. However, in the older MuddyWater backdoor their content was encoded differently. The files are temporarily stored on compromised websites. The more recent backdoor uses a legitimate cloud storage service provider instead. The .res file can be decoded by replacing “00” with empty string, then converting from hex to ASCII, then reversing the string. The figure below is the decoded .res file from Figure 9. _Figure 10. Decoded .res file_ The backdoor supports the following commands: **$upload – upload a file to file hosting service** **$dispos – remove persistence** **$halt – exit** **$download – download file from a hosting service** **No prefix – execute command via Invoke Expression (IEX), a PowerShell command** that runs commands or expressions on the local computer Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools. **_S l ti_** **_d R_** **_d ti_** ----- uses social engineering to manipulate targets into enabling malicious documents. It is important that employers and employees across all organizations and enterprises be able [to identify phishing attacks and distinguish legitimate emails from malicious ones.](https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks) Awareness of these threats and the tactics they use is an effective first step. Telltale signs of social engineering include “too-good-to-be-true” offers and messages that lack context. In general, users should always practice caution when it comes to email. This includes avoiding clicking on links or downloading any documents unless certain that these are legitimate. Apart from knowledge and awareness of phishing and social engineering, it is also important to be prepared with effective and layered security solutions. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through [specialized engines, custom sandboxing, and seamless correlation across the entire attack](https://www.trendmicro.com/vinfo/us/security/news/security-technology/how-can-advanced-sandboxing-techniques-thwart-elusive-malware) lifecycle, allowing it to detect threats even without any engine or pattern update. [Trend Micro™ Hosted Email Security](https://www.trendmicro.com/us/small-business/hosted-email-security/) is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. [Trend Micro™ Deep Discovery™ Email Inspector](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/index.html#email-protection) [and InterScan™ Web Security](https://www.trendmicro.com/us/enterprise/web-security/index.html) prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities that minimize the impact of these attacks. These solutions are powered by the Trend Micro [XGen™ security, which provides a cross-](https://www.trendmicro.com/en_us/business/products/all-solutions.html) generational blend of threat defense techniques against a full range of threats for data [centers, cloud environments, networks, and endpoints. It features high-fidelity machine](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security-for-cloud.html) [learning to secure the gateway and endpoint data and applications, and protects physical,](https://www.trendmicro.com/us/business/complete-user-protection/index.html) virtual, and cloud workloads. **_Indicators of Compromise_** **SHA256** **Type** **Detection Name** 41ee0ab77b474b0c84a1c25591029533f058e4454d9f83ba 30159cc6309c65d1 43080479eb1b00ba80c34272c5595e6ebdc6b0ffabcdc2c4 0ea2af49fcc43db4 4f509354d8b3152a40c64ce61f7594d592c1256ad6c08297 60b8dbdcb10579a2 685e91bc4e98c38bda7c8e57d5d40a11e7cf48bb43859bb7 99813f0146a14fcf 888a6f205ac9fc40d4898d8068b56b32f9692cb75f0dd813f 96a7bd8426f8652 0acd10b14d38a4ac469819dfa9070106e7289ecf7360e248 b7f10f868 2f373d Delivery documents Dropped DLL fil e Weaponized do cument Dropped DLL fil e Dropped DLL fil e W2KM_POWRUN.A Backdoor.Win32.POWR UN.AA BACKDOOR.WIN32.PO WRUN.AA BKDR_POWRUN.B Trojan.W97M.POWRUN. AA Dropped DLL fil BKDR_POWRUN.A -----