The malicious actors behind the MuddyWater campaign have given the malware a facelift changing the way the malicious files are executed and altering the social engineering used to entice its victims to open the infected Word document.
Trend Micro researchers said the newest version of MuddyWater, originally spotted in 2017, was seen in May and is being detected as W2KM_DLOADR.UHAOEEN. The overall attack patter remains the same with the target receiving a Microsoft Word document via a phishing or spam email containing a malicious macro that can execute PowerShell scripts in order to inject a backdoor.
“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files,” wrote Trend Micro threat analysts Michael Villanueva and Martin Co.
The other change is the bait document. In previous incarnations, the attackers used docs supposedly containing government or telecom-related information, but this time around it pretends to be a reward or promotional program and is written in such a way as to entice the target to enable the macro so they can read the entire offer.
Once this happens the malware is executed usually with the installation of a PRB backdoor which communicates with the command and control server. The server can then instruct the compromised computer to gather browsing histories from different browsers, steal passwords, read files, write files, execute shell commands and record keystrokes.
Trend Micro recommends the use of standard anti-phishing defenses to block this attack and to make employees aware of the potential nature of attached documents.