|Col1|Home|Categories|Col4| |---|---|---|---| Search: ##### Home Categories [Home » Targeted Attacks » Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/) ##### Featured Stories ## Another Potential MuddyWater Campaign uses Powershell- systemd Vulnerability Leads to Denial of Service based PRB-Backdoor on Linux qkG Filecoder: Self-Replicating, Document- **[Posted on: June 14, 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/06/)** at 5:00 am **[Posted in: Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **[Author: Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/)** Encrypting Ransomware  14     Mitigating CVE-2017-5689, an Intel Management **_by Michael Villanueva and Martin Co (Threats Analysts)_** Engine Vulnerability [The MuddyWater campaign was first sighted in 2017 when it](https://www.reuters.com/article/us-saudi-cyber/saudi-agency-says-country-targeted-in-cyber-spying-campaign-idUSKBN1DK27M) [A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) targeted the Saudi government using an attack involving [From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) PowerShell scripts deployed via Microsoft Office Word macro. In March 2018, we provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater. Security Predictions for 2018 In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload. One notable difference in the analyzed samples is that they do not directly download the Visual Basic ----- users and enterprises to catch up with the MuddyWater campaign, in particular: their security. [Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018) The delivery method, which involves the use of a malicious document with an embedded macro as a lure for potential victims The obfuscation method for the macro scripts, which will result in an intended backdoor Business Process Compromise payload. This method is commonly used in samples that were used in the MuddyWater campaign **_Infection chain_** Attackers are starting to invest in long- term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise. ##### Recent Posts Another Potential MuddyWater Campaign uses _Figure 1. Comparison of the infection chains used in the previous and current campaigns_ Powershell-based PRB-Backdoor **_Technical details_** June Patch Tuesday: Microsoft Addresses DNS- The sample we analyzed was a Word document used as a lure for unsuspecting victims. However, [related Vulnerability, Adobe Patches Critical Flash](https://blog.trendmicro.com/trendlabs-security-intelligence/june-patch-tuesday-microsoft-addresses-dns-related-vulnerability-adobe-patches-critical-flash-player-flaw/) Player Flaw unlike the samples from the previous campaigns, the lure document deals with a different subject matter. Instead of using government or telecommunications-related documents, the new lure How Machine Learning Techniques Helped Us document presents itself as a reward or promotion, which could indicate that the targets are no Find Massive Certificate Abuse by BrowseFox longer limited to specific industries or organizations. Attack Vectors in Orbit: The Need for IoT and Satellite Security in the Age of 5G ----- Malicious Edge and Chrome Extension Used to Deliver Backdoor GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities Confucius Update: New Tools and Techniques, _Figure 2. Sample lure document used in the new campaign_ Further Connections with Patchwork The document is designed to trick users into enabling the macro to view its full content. However, [Legitimate Application AnyDesk Bundled with New](https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/) the macro’s true purpose is to allow it to execute malicious routines without the user’s knowledge. Ransomware Variant Once the macro is enabled, it will use the Document_Open() event to automatically execute the Malicious Traffic in Port 7001 Surges as malicious routine if either a new document using the same template is opened or when the [Cryptominers Target Patched 2017 Oracle](https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-traffic-in-port-7001-surges-as-cryptominers-target-patched-2017-oracle-weblogic-vulnerability/) WebLogic Vulnerability template itself is opened as a document0. ##### Stay Updated Email Subscription Your email here Subscribe _Figure 3. Executing the malicious routine via Document_Open()_ The malicious macro’s code snippet uses three main functions, specifically: ----- will be executed to perform the main routine. _Figure 4. A snippet of the malicious macro’s code, marked with colored boxes to show the different_ _functions_ **_Decoding and deobfuscation_** Analysis of the code revealed a PowerShell script capable of decoding the contents of the malicious document, which results in the execution of yet another encoded PowerShell script. ----- _Figure 5. The Powershell script contained in the sample’s code_ _Figure 6. The second encoded PowerShell script, which is executed after the first script is decoded_ This will then result in more readable PowerShell scripts capable of dropping various components in the %Application Data%\Microsoft\CLR\* directory. The main PowerShell file invoker.ps1 uses ----- _Figure 7: The components dropped in the %Application Data%\Microsoft\CLR\* directory_ PRB-Backdoor is a backdoor that takes its name from the function used in the final PowerShell script payload, as seen in the figure below. _Figure 8. The PS function from which PRB-Backdoor takes its name_ The backdoor communicates with its Command-and-Control (C&C server) hxxp://outl00k[ ]net to ----- |Command|Details| |---|---| |PRB-CREATEALIVE|Initializes connection with the C&C Server| |PRB-CREATEINTRODUCE|Registers/introduces the affected machine to the C&C server| |PRB-History|Gather browsing histories from different browsers and send it to the C&C server using the “sendfile” function| |PRB-PASSWORD|Steals passwords listed or found in the browser histories| |PRB-READFILE|Reads files| |PRB-WRITEFILE|Writes files| |PRB-Shell|Executes shell commands| |PRB-Logger|Calls the “Logger” function, used to record keyboard strokes| |PRB-Shot|Triggers the SNAP function, used to capture screenshots| |PRB-funcupdate|Updates functions| |sysinfo|Gathers system information| **Command** **Details** Initializes connection with the C&C Server PRB-CREATEALIVE PRB-CREATEINTRODUCE Registers/introduces the affected machine to the C&C server PRB-History Gather browsing histories from different browsers and send it to the C&C server using the “sendfile” function PRB-PASSWORD Steals passwords listed or found in the browser histories PRB-READFILE Reads files PRB-WRITEFILE Writes files PRB-Shell Executes shell commands PRB-Logger Calls the “Logger” function, used to record keyboard strokes PRB-Shot Triggers the SNAP function, used to capture screenshots PRB-funcupdate Updates functions sysinfo Gathers system information Start_Dns Initializes DNS Session/Connection ----- Given the use of lure documents designed with social engineering in mind, it is likely that the attackers use phishing or spam to target users who are unaware of these documents’ malicious nature. Awareness can effectively mitigate or stop these kinds of attacks from being successful. [The first step is to be able to identify phishing attacks and distinguish legitimate emails from](https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks) malicious ones. Telltale signs of social engineering include “too-good-to-be-true” offers and messages that lack context. In general, users should always practice caution when it comes to email. This includes avoiding clicking on links or downloading any documents unless certain that these are legitimate. [Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) today’s stealthy malware, and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through [specialized engines, custom sandboxing, and seamless correlation across the entire attack](https://www.trendmicro.com/vinfo/us/security/news/security-technology/how-can-advanced-sandboxing-techniques-thwart-elusive-malware) lifecycle, allowing it to detect threats even without any engine or pattern update. [Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously](https://www.trendmicro.com/us/small-business/hosted-email-security/) updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. [Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent malware](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/index.html#email-protection) [from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites deliver](https://www.trendmicro.com/us/business/complete-user-protection/index.html#smart-protection-demos) several capabilities that minimize the impact of these attacks. [These solutions are powered by the Trend Micro XGen™ security, which provides a cross-](https://www.trendmicro.com/en_us/business/products/all-solutions.html) generational blend of threat defense techniques against a full range of threats for data [centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security-for-cloud.html) [secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud](https://www.trendmicro.com/us/business/complete-user-protection/index.html) workloads. **_Indicators of Compromise (IoCs):_** Detected as W2KM_DLOADR.UHAOEEN 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b ----- ### Related Posts: **Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and** **Central Asia** **[ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [MuddyWater](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/muddywater/) [Powershell](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/powershell/) [PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/prb-backdoor/) [targeted attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/targeted-attacks/) [Windows Powershell](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/windows-powershell/) ----- [HOME AND HOME OFFICE |](http://www.trendmicro.com/us/home/index.html) [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE |](http://www.trendmicro.com/us/security-intelligence/index.html) [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schw eiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved. -----