The Saudi government’s National Cyber Security Center (NCSC) has reportedly confirmed the attack said that “The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia.”
The Saudi government’s National Cyber Security Center (NCSC) has reportedly confirmed the attack said that “The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia.” MuddyWater is an APT group that has been active throughout 2017, and their attack are primarily against organizations in Middle East countries. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques said in the blog post published by Paloalto Networks.Timeline of how the threat evolved is below
The attacker sends a phishing emails to the target containing macros enabled word document, and when the victim opens the file, the embedded VBScript disable the word security settings by altering the corresponding registry keys.Then the attacker starts to retrieve the stream of data from hosting services like GitHub or Pastebin. After that, data converted in two scripts Powershell scripts and a VB script and stored as hidden.The Powershell script is used to communicate with the command and control ( C&C) server.There will be a unique ID stored in the victim’s machine in a file called [username].key which is used to receive the instruction from the server, and it also registers the victim’s machine on the C&C server. This will help attackers to execute any commands over the victim’s system.
MuddyWater attackers use compromised websites to hide the real address of the C2 server by using them as proxies. Infected victim's machine connects randomly to one of the proxy servers and which transfer the information to the C2. The attacker uses the C2 to send command and receive exfiltrated data.According to Reaqta “The operators behind MuddyWater are likely espionage motivated, we derive this information from the analysis of data and backdoors behaviors. We also find that despite the strong preponderance of victims from Pakistan, the most active targets appear to be in Saudi Arabia, UAE, and Iraq. Amongst the victims, we identify a variety of entities with a stronger focus at Governments, Telcos and Oil companies.”This is not the first time hackers have targeted middle east countries.Early this year they were hit by powerful Shamoon virus which caused widespread damage.
Preventive Measures to be taken to avoid infection:
- Always Keep the Anti-Malware, Anti Virus signatures updated
- Block the Macros in the office applications
- Block the CnC IP addresses over the Firewalls
- Block the use of PowerShell Scripts and VBScript