Go to… - [Home » Malware » MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-](https://blog.trendmicro.com/trendlabs-security-intelligence/) Featured Stories Exploitation Tools systemd Vulnerability Leads to Denial of Service on Linux # MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools qkG Filecoder: Self-Replicating, Document- Encrypting Ransomware **[Posted on: June 10, 2019](https://blog.trendmicro.com/trendlabs-security-intelligence/2019/06/)** at 5:02 **[Posted in: Malware,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** Targeted **Author: Trend** [Mitigating CVE-2017-5689, an Intel Management](https://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) am Attacks Micro Engine Vulnerability **_By Daniel Lunghi and Jaromir Horejsi_** [A Closer Look at North Korea’s Internet](https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) We found new campaigns that appear to wear the badge of [From Cybercrime to Cyberpropaganda](https://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) MuddyWater. Analysis of these campaigns revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. We also unearthed Security Predictions for 2019 and detailed our other findings on MuddyWater, such as its connection to four Android malware families and its use of false flag techniques, among others, in our report “New MuddyWater [Activities Uncovered: Threat Actors Used Multi-Stage Backdoors,](https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf) False Flags, Android Malware, and More.” One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email Our security predictions for 2019 are based on our experts’ analysis of the progress of current recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing and emerging technologies, user behavior, and malware. market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration. [Read our security predictions for 2019.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019) ### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational Figure 1. Screenshot of a spear-phishing email spoofing a government office, dated April 8, 2019. loopholes that they can leverage or abuse. To [learn more, read our Security 101: Business](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) Process Compromise. ### Recent Posts MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post- Exploitation Tools [CVE-2019-2725 Exploited and Certificate Files](https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/) Used for Obfuscation to Deliver Monero Miner Monero-Mining Malware PCASTLE Zeroes Back In [on China, Now Uses Multilayered Fileless Arrival](https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/) Figure 2. Email headers showing the origin of the spear-phishing email Techniques Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based [BlackSquid Slithers Into Servers and Drives With 8](https://blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/) Notorious Exploits to Drop XMRig Miner backdoor called POWERSTATS v3. The spear-phishing email that contains a document embedded with a malicious macro drops a VBE file encoded with Microsoft Script Encoder. The VBE file, which Infected Cryptocurrency-Mining Containers Target holds a base64-encoded block of data containing obfuscated PowerShell script, will then execute. This [Docker Hosts With Exposed APIs, Use Shodan to](https://blog.trendmicro.com/trendlabs-security-intelligence/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims/) Find Additional Victims block of data will be decoded and saved to the %PUBLIC% directory under various names ending with ----- [May’s Patch Tuesday Include Fixes for ‘Wormable’](https://blog.trendmicro.com/trendlabs-security-intelligence/mays-patch-tuesday-include-fixes-for-wormable-flaw-in-windows-xp-zero-day-vulnerability/) Flaw in Windows XP, Zero-Day Vulnerability [New Mirai Variant Uses Multiple Exploits to Target](https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/) Routers and Other Devices [Linux Coin Miner Copied Scripts From KORKERDS,](https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/) Removes All Other Malware and Miners Trickbot Adds Remote Application Credential- Grabbing Capabilities to Its Repertoire Exposed Docker Control API and Community Image Figure 3. Code snippet of obfuscated and useless code Abused to Deliver Cryptocurrency-Mining Malware The final backdoor code is revealed after the deobfuscation of all strings and removal of all unnecessary code. But first, the backdoor will acquire the operating system (OS) information and save Stay Updated the result to a log file. Email Subscription Your email here Subscribe Figure 4. Code snippet of OS information collection This file will be uploaded to the command and control (C&C) server. Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process. A second stage attack can be launched by commands sent to a specific victim in an asynchronous way, e.g., another backdoor payload can be downloaded and installed to targets that they are interested in. Figure 5. The code in POWERSTATS v3 which downloads the second attack stage We were able to analyze a case where the group launched a second stage attack. The group was able to download another backdoor, which is supported by the following commands: Take screenshots Command execution via the cmd.exe binary If there’s no keyword, the malware variant assumes that the input is PowerShell code and executes it via the “Invoke-Expression” cmdlet Figure 6. The code in POWERSTATS v3 (second stage) that handles the screenshot command The C&C communication is done using PHP scripts with a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and _uDel (self-delete after an error)._ Figure 7. In an endless loop, the malware variant queries a given path on the C&C server, trying to download a GUID-named file with commands to execute. **Other MuddyWater campaigns in the first half of 2019** The MuddyWater threat actor group has been actively targeting victims with a variety of tricks, and they seem to keep on adding more as they move forward with new campaigns. The campaign that used POWERSTATS v3 is not the only one we found with new tricks. We observed other campaigns that changed their delivery methods and dropped file types. Notably, these campaigns have also changed payloads and publicly available post-exploitation tools. ----- |2019-01|Macros|EXE|SHARPSTATS| |---|---|---|---| |2019-01|Macros|INF, EXE|DELPHSTATS| |2019-03|Macros|Base64 encoded, BAT|POWERSTATS v2| |2019-04|Template injection|Document with macros|POWERSTATS v1 or v2| |2019-05|Macros|VBE|POWERSTATS v3| 2019-01 Macros INF, EXE DELPHSTATS 2019-03 Macros Base64 encoded, BAT POWERSTATS v2 2019-04 Template injection Document with macros POWERSTATS v1 or v2 2019-05 Macros VBE POWERSTATS v3 Table 1. MuddyWater’s delivery methods and payloads in 2019 1H In January 2019, we discovered that the campaign started using SHARPSTATS, a .NET-written backdoor that supports DOWNLOAD, UPLOAD, and RUN functions. In the same month, DELPHSTATS, a backdoor written in the Delphi programming language, emerged. DELPHSTATS queries the C&C server for a .dat file before executing it via the Powershell.exe process. Like SHARPSTATS, DELPHSTATS employs custom PowerShell script with code similarities to the one embedded into the former. Figure 8. SHARPSTATS can be used to collect system information by dropping and executing a PowerShell script. Figure 9. The code in DELPHSTATS that queries a certain directory on the C&C server. It’s where operators upload additional payload. We came across the heavily obfuscated POWERSTATS v2 in March 2019. An earlier version of this backdoor decodes the initial encoded/compressed blocks of code, while an improved version appeared later on. The latter heavily uses format strings and redundant backtick characters. The function names in the earlier version were still somehow readable, but they were completely randomized in later versions. Figure 10. Obfuscated POWERSTATS v2 After deobfuscation, the main backdoor loop queries different URLs for a “Hello server” message to obtain command and upload the result of the run command to the C&C server. ----- |Name of the Post-Exploitation Tool|Programming language/Interpreter| |---|---| |CrackMapExec|Python, PyInstaller| |ChromeCookiesView|Executable file| |chrome-passwords|Executable file| |EmpireProject|PowerShell, Python| |FruityC2|PowerShell| |Koadic|JavaScript| |LaZagne|Python, PyInstaller| |Meterpreter|Reflective loader, executable file| |Mimikatz|Executable file| |MZCookiesView|Executable file| |PowerSploit|PowerShell| |Shootback|Python, PyInstaller| |Smbmap|Python, PyInstaller| We also observed MuddyWater s use of multiple open source post-exploitation tools, which they deployed after successfully compromising a target. **Name of the Post-Exploitation Tool** **Programming language/Interpreter** [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) Python, PyInstaller [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) Executable file [chrome-passwords](https://github.com/adnan-alhomssi/chrome-passwords) Executable file [EmpireProject](https://github.com/EmpireProject) PowerShell, Python [FruityC2](https://github.com/xtr4nge/FruityC2) PowerShell [Koadic](https://github.com/zerosum0x0/koadic) JavaScript [LaZagne](https://github.com/AlessandroZ/LaZagne) Python, PyInstaller [Meterpreter](https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/) [Reflective loader, executable file](https://github.com/stephenfewer/ReflectiveDLLInjection) [Mimikatz](https://github.com/gentilkiwi/mimikatz) Executable file [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) Executable file [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) PowerShell [Shootback](https://github.com/aploium/shootback) Python, PyInstaller [Smbmap](https://github.com/ShawnDEvans/smbmap) Python, PyInstaller Table 2. Tools used by MuddyWater campaigns over the years. The delivery of the EmpireProject stager is notable in one of the campaigns that we monitored. The [scheme involves the use of template injection and the abuse of the CVE-2017-11882 vulnerability. If](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882) the email recipient clicks on a malicious document, a remote template is downloaded, which will trigger the exploitation of CVE-2017-11882. This will then lead to the execution the EmpireProject stager. Figure 12. Clicking on the malicious document leads to the abuse of CVE-2017-11882 and the execution of the EmpireProject stager. Another campaign also stands out for its use of the LaZagne credential dumper, which was patched to drop and run POWERSTATS in the main function. Figure 13. LaZagne has been patched to drop and run POWERSTATS in the main function. See added _intimoddumpers() function. Note the typo in the function name – its INTI, not INIT._ **Conclusion and security recommendations** While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns. In [this regard, apart from using smart email security solutions, organizations should inform their](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/advanced-defenses-for-advanced-email-threats) [employees of ways to stay safe from email threats.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats) ----- [attacks and advanced threats through specialized engines, custom sandboxing, and seamless](https://www.trendmicro.com/vinfo/us/security/news/security-technology/how-can-advanced-sandboxing-techniques-thwart-elusive-malware) correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern updates. [View our full report to learn more about the other MuddyWater details we discovered.](https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf) ## Related Posts: **[Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/)** **[Supply Chain Attack Operation Red Signature Targets South Korean Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/)** **[Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/)** **[Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability](https://blog.trendmicro.com/trendlabs-security-intelligence/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [DELPHSTATS](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/delphstats/) [MuddyWater](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/muddywater/) [POWERSTATS](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/powerstats/) [SHARPSTATS](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/sharpstats/) [HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html) | [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html) | [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, ��, ��, ����, ��](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2019 Trend Micro Incorporated. All rights reserved. -----