Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
High
Analysis Summary
MuddyWater (aka SeedWorm/Temp.Zagros) is a high-profile Advanced Persistent Threat (APT) state sponsored actor. The group was first observed in 2017, and since has operated multiple global espionage campaigns. With that in mind, their most significant operations mainly focus on Middle Eastern and Middle Asian nations.
The group targets a wide gamut of sectors, including governmental, military, telecommunication, and academia. In the past months, Clearsky had monitored and detected malicious files of each one of these TTPs – decoy Microsoft software with embedded Macros4, and documents exploiting vulnerability CVE-2017-01995 . This is the first time MuddyWater has used these two vectors in conjunction.
It appears that in the recent campaign, the group returned to use (in certain cases) compromised servers. They leveraged the servers to host malicious code segment used in the second stage of the attacks; similar to previous operations. Concurrently we identified several files by MuddyWater that targeted various entities in Tajikistan while using the group’s classic attack vector – a malicious VBA macro.
The file, named ‘UNDP_TJK_Agreement_ORGS.doc’, was disguised as an official document of a UN development plan in Tajikistan. After opening the document, a VBS file is created. It is encoded with multiple VBE, JavaScript, and Base64 layers; similar to previous attack vectors by MuddyWater. The malware’s second stage is downloaded from IP address 185[.]244[.]149[.]218.
This vulnerability in Microsoft Office allows remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API8 .
Indicators Of Compromise
IP(s) / Hostname(s)
URLs
Filename
UNDP_TJK_Agreement_ORGS.doc
Malware Hash (MD5/SHA1/SH256)
Remediation
Block threat indicators at your respective controls.