This is all about malware analysis, reverse engineering and some cool stuff

Friday, 11 January 2019

A new MuddyWater APT campaign spreads Backdoor RAT

January 11, 2019 Posted by SDKHERE , , , , , , No comments

MuddyWater is an APT group that has been active throughout 2017, targeting victims in the Middle East with in-memory vectors leveraging on Powershell.
In October 2018, Kaspersky Lab has already published a good analysis report on the malwares by this APT group.

Here I am publishing my analysis report on recent malware by this APT group which targetted several parts of the Middle East.
Sample -  8899c0dac9f6bb73ce750ae7b3250dbd (Virustotal)
References :

The document has obfuscated macro code which contains encrypted binary data. On execution, it decrypts the data and drops files and execute it.
The decryption function used in VBS macro is shown below.

With the help of this function, it decrypts lin(0) of the code shown in below image which is nothing but the header of a PE file.

The macro concatenate above lines and converts it in Ascii and stores it at "C:\users\public" with the name of "temp_rt_32.exe".
After that, it concatenates another code shown below and stores it at the same location with the name of ""

Location - C:\Users\Public
After that, the document ShellExecute the temp_rt_32.exe and exit itself.

temp_rt_32.exe :
temp_rt_32.exe is a UPX packed Delphi file. On execution, it extracts the file at %PUBLIC% location and executes "GoogleUpdate.exe"
And then it imports UP.txt file to the registry which is nothing but the RUN entry of GoogleUpdate.exe with the name of DVRStudio and exit itself.

GoogleUpdate.exe :
GoogleUpdate.exe is a RAT which downloads another malware in the system or uploads user's files to command and control server.
First of all, it creates a path ""\\Windows\\Microsoft\\FrameWork4""  in %APPDATA%.
Then it creates a unique machine ID by Base64 of username and Volume serial number. 
ID = base64_encode(username_volumeserialnumber)

After that, it checks the internet connectivity by resolving If it returns true, it will do the malicious activity otherwise it will wait for 5min.

If the internet is connected then it reads "C:\Users\Public\temp_gh_12.dat" which has following encoded data.

The above function will Base64 decode the data of, XOR the decoded data with the hardcoded key and then again Base64 decode the decrypted data.

Here the key is "UHIRER874893UIUOFUGHEWROUIRGH35"
so after decryption of temp_gh_12.dat file, it shows up a below URL.
The sample downloads the JSON file from the above URL and gets the URL of the CnC server.

Above jsonstore api has two CnC URLs. The sample will parse this URLs and proceed with the active one.
When it finds the active URL, It takes infected machine information, encode and encrypt it and stores it at %APPDATA%\\Windows\\Microsoft\\FrameWork4 with the name id_uniqueID (eg. id_dXTlbl9DRT).

The information is in below format.
Each info is first encoded with Base64 and then XOR encrypted by hardcoded key.

The sample reads this info from the file and sends it to the CnC server at the below URL.

The sample has Base64 encoded and XOR encrypted PowerShell script which is decrypted by the same encryption and encoded method describe above.

The decrypted PowerShell script looks like below.

The first function of the script gives all the usernames available in the system.
The second function will give all the environment variables present in the system path and all the services which are currently running in the system.
ipconfig /all - gives the network info of the system.

The sample runs this script and takes the output, encode and encrypt it with the same method described above and then stores it at %APPDATA%\\Windows\\Microsoft\\FrameWork4\\res_uniqueID.frk

After that, it reads the same file and send it to CnC server at below location and then deletes the file.

After all these initialization steps, control transfer to an infinite loop which takes care of all the action coming from server and act accordingly.

This loop first checks the internet connection by pinging to then it checks server connectivity by sending follwing request to server and comparing output with the hardcoded value.
The output of this request should be "wYbaej5avYrFb" which is hardcoded in the sample.

After handshaking, it reads action command by sending a request to following server URL with the unique machine ID.

Currently, there are only three commands are present in this version.
1. Download Filename URL: It downloads a file from URL and saves it as Filename at %APPDATA%\\Windows\\Microsoft\\FrameWork4
2. Upload FilePath: It uploads FilePath on the server at URL hxxp://

3. Powershell script: If the response of server is encoded and encrypted PowerShell script then it will run by the third function which is shown below.

IOCs :

Malicious word document : 8899c0dac9f6bb73ce750ae7b3250dbd
Zip dropper (temp_rt_32.exe) : 7C3DD70A4B1976481913E6B5A1FFBB77
Zip File ( : 5DB43101417247AE161C4425D0B96A70
RAT (GoogleUpdate.exe) : 6F44E57C81414355E3D0D0DAFDF1D80E

CnC URLs hosted on : hxxps://
CnC URL : hxxp://
CnC URL : hxxp://

Update - 13 Jan 2019

I have found some similar and recent malwares on Virustotal. All these samples have only one embedded PE file (GoogleUpdate.exe) which will be dropped in %TEMP%. In my case, this GoogleUpdate.exe was a Dotnet file embedded in the file and which was executed by temp_rt_32.exe. but here GoogleUpdate.exe is also a Dotnet file packed with enigma virtual box packer. Other than this, all the process and CnC servers are similar.
Here are the latest documents: (MD5)


Post a Comment