Home » News » Researchers told about new instruments of MuddyWater cybercriminal group

Researchers told about new instruments of MuddyWater cybercriminal group

Specializing on espionage Muddywater group, also known as SeedWorm and TEMP.Zagros, included in its set of techniques, tactics and procedures new methods that allow having remote access to infected systems and remain unnoticed at the same time.

First time group became famous in 2017, when it attacked Middle Eastern organizations, however, later it included governmental and military companies in Central and South-East Asia, as well as enterprises in Europe and North America.

Cisco Talos specialists analyzed recent campaign that was called BlackWater, and linked it to MuddyWater cybergroup. They noticed some new tactics, applied by a band to hide traces of its activity.

“Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection”, — claimed Cisco Talos researchers.

In particular, criminals used obfuscated VBA macros that allows malware programs preserve presence on the infected Windows-machines, adding Run registry key. Malware added on victims’ computers through fishing letter and for their watching was necessary to turn on malware macros that blocked option of watching its source code.

Between February and March 2019 band added PowerShell commands in malware attachments for persisting in a system and collection of data about infected computer that later were sent on the controlled by the attackers server. Attackers used PowerSheell script for downloading Trojan from C&C server, particularly built on the open FruityC2 framework.

READ  RIG exploit suite is now being used to deliver a new Buran encryption tool to users
Image of the PowerShell script from the threat actor-controlled server
Image of the PowerShell script from the threat actor-controlled server (clickable)

Collected information included in URL that complicated detecting, and also conduct monitoring of web-logs and establish, when someone who is not linked to BlackWater, sent a request on a server to study suspicious activity.

Source: https://blog.talosintelligence.com

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Tor DDoS Attacks are Cheap

DDoS attacks that slow Tor network performance are quite cheap

Experts from Georgetown University and the US Navy Research Laboratory presented an interesting report at …

Scripts for clickjacking detected on sites with a audience of 43 million users

Scripts for clickjacking detected on sites with a total audience of 43 million users per day

For the first time clickjacking attracted the attention of information security experts more than ten …

Leave a Reply