Home » News » Researchers told about new instruments of MuddyWater cybercriminal group

Researchers told about new instruments of MuddyWater cybercriminal group

Specializing on espionage Muddywater group, also known as SeedWorm and TEMP.Zagros, included in its set of techniques, tactics and procedures new methods that allow having remote access to infected systems and remain unnoticed at the same time.

First time group became famous in 2017, when it attacked Middle Eastern organizations, however, later it included governmental and military companies in Central and South-East Asia, as well as enterprises in Europe and North America.

Cisco Talos specialists analyzed recent campaign that was called BlackWater, and linked it to MuddyWater cybergroup. They noticed some new tactics, applied by a band to hide traces of its activity.

“Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection”, — claimed Cisco Talos researchers.

In particular, criminals used obfuscated VBA macros that allows malware programs preserve presence on the infected Windows-machines, adding Run registry key. Malware added on victims’ computers through fishing letter and for their watching was necessary to turn on malware macros that blocked option of watching its source code.

Between February and March 2019 band added PowerShell commands in malware attachments for persisting in a system and collection of data about infected computer that later were sent on the controlled by the attackers server. Attackers used PowerSheell script for downloading Trojan from C&C server, particularly built on the open FruityC2 framework.

READ  GandCrab malware operators are winding down their activity
Image of the PowerShell script from the threat actor-controlled server
Image of the PowerShell script from the threat actor-controlled server (clickable)

Collected information included in URL that complicated detecting, and also conduct monitoring of web-logs and establish, when someone who is not linked to BlackWater, sent a request on a server to study suspicious activity.

Source: https://blog.talosintelligence.com

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Trojan MonsterInstall

Sites with cheats for games distribute users to the load Trojan crypto miner

A new modular trojan downloader in JavaScript has appeared on the Internet. Currently, it can …

Oracle WebLogic Vulnerability

Oracle has released an urgent patch to eliminate critical vulnerabilities in WebLogic Server

The company said that an unknown group of cybercriminals in real attacks is already actively …

Leave a Reply