• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Government Sector in Central Asia Targeted With New HAWKBALL Backdoor
June 10, 2019
Rewterz Threat Alert – Bitcoin Extortion Attempts Observed Through Social Engineering
June 11, 2019

Rewterz Threat Alert – MuddyWater Adds Exploits to their Arsenal

June 10, 2019

Severity

High

Analysis Summary

MuddyWater (aka SeedWorm/Temp.Zagros) is a high-profile Advanced Persistent Threat (APT) state sponsored actor. The group was first observed in 2017, and since has operated multiple global espionage campaigns. With that in mind, their most significant operations mainly focus on Middle Eastern and Middle Asian nations.

The group targets a wide gamut of sectors, including governmental, military, telecommunication, and academia. In the past months, Clearsky had monitored and detected malicious files of each one of these TTPs – decoy Microsoft software with embedded Macros4, and documents exploiting vulnerability CVE-2017-01995 . This is the first time MuddyWater has used these two vectors in conjunction.

Attack Vector 1 – Malicious Macros


It appears that in the recent campaign, the group returned to use (in certain cases) compromised servers. They leveraged the servers to host malicious code segment used in the second stage of the attacks; similar to previous operations. Concurrently we identified several files by MuddyWater that targeted various entities in Tajikistan while using the group’s classic attack vector – a malicious VBA macro.

The file, named ‘UNDP_TJK_Agreement_ORGS.doc’, was disguised as an official document of a UN development plan in Tajikistan. After opening the document, a VBS file is created. It is encoded with multiple VBE, JavaScript, and Base64 layers; similar to previous attack vectors by MuddyWater. The malware’s second stage is downloaded from IP address 185[.]244[.]149[.]218.

Attack Vector 2 – CVE-2017-0199


This vulnerability in Microsoft Office allows remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API8 .

Indicators Of Compromise

IP(s) / Hostname(s)

  • 66[.]219[.]22[.]235
  • 83[.]171[.]238[.]62
  • 185[.]185[.]25[.]175
  • 185[.]244[.]14[.]218

URLs

  • http[:]//185[.]185[.]25.175/ref45[.]php
  • http[:]//185[.]185[.]25[.]175/sDownloads/
  • http[:]//185[.]185[.]25[.]175/upl[.]php

Filename

UNDP_TJK_Agreement_ORGS.doc

Malware Hash (MD5/SHA1/SH256)

  • 0a9d295016417b00457d4a031b5c52eea41bcde3465ac517767d8795a6a213eb
  • 10157ab25bab7891068538111333a2101b987e930d5deb7bb60ed63cf7ca197d
  • 1dae45ea1f644c0a8e10c962d75fca1cedcfd39a88acef63869b7a5990c1c60b
  • 200c3d027b2d348b0633f8debbbab9f3efc465617727df9e3fdfa6ceac7d191b
  • 20bf83bf516b12d991d38fdc014add8ad5db03907a55303f02d913db261393a9
  • 4fe389bc1ea85896b4ebb6fe26aa40a6e3f8e9ca
  • 592f0d9d7185eadab0509fdafdc305ab
  • 65978dd3d6b3a518f465676aa6bd876e
  • 6cb076f1f42573c5c43083a89bcfe442
  • 8d1464e0cac7ea8f37e83fd142212c95db20fe77
  • 951585840a07a6496b0270f1028281fcb65d5b9e9a6ed613ca8809b258ed729f
  • 98f0f2c42f703bfbb96de87367866c3cced76d5a8812c4cbc18a2be3da382c95
  • bb6fda2cdc852112544d2598a784d04f
  • bb6fda2cdc852112544d2598a784d04f
  • d5b7a5ae4156676b37543a3183df497367429ae2d01ef33ebc357c4bdd9864c3
  • d77d16c310cce09b872c91ca223b106f4b56572242ff5c4e756572070fac210f
  • e2867e2255cad213fcc5752a7062882e92870c57
  • f5ef4a45e19da1b94c684a6c6d51b86aec622562c45d67cb5aab554f21eb9061

Remediation

Block threat indicators at your respective controls.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.