POWERSTATS

The experts observed compromised accounts at third party organizations sending the MuddyWater malware

With that in mind, past experience implies that this might be a two-stage spear-phishing campaign. In the first stage of the operation the attackers deliver a macro-embedded document. Depending on each sample, the content of document is either a fake resume application, or a letter from the Ministry of Justice in Lebanon or Saudi Arabia.

Within the above-mentioned three-steps POWERSTATS execution mechanism, the second step consists of running the obfuscated base64 encoded JavaScript. This code snippet leverages the Winmgmt WMI service classes Win32_Process and Win32_ProcessStartup.

It makes use of a scheduled task named “MicrosoftEdge” (Scheduled task name may differ from one sample to another) running daily at 12:00 o’clock, which starts the three-steps backdoor’s execution mechanism using the following command: "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\windows\system32\wscript.exe C:\Windows\temp\Windows.vbe"

We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents...

Malicious macro-embedded document used to launch an Excel process and a PowerShell command as first stage... Looking at the additional PowerShell code that is downloaded from the compromised domains, we identified few variables and commands... PowerShell command de-obfuscates and executes POWERSTATS backdoor.

According to the highlighted output of the tool, we deduce that the macro code is intended to run when the document is opened, which in turn leads to the creation of an Excel process. This Excel process is immediately used as a parent process for running a PowerShell command. | The base64 encoded VBScript code is saved to a PowerShell variable called $vbs, then it is decoded and stored in another variable named $Content... The decoded VBScript code is responsible for running the obfuscated JavaScript code stored in another file masquerading an image file “temp.jpg”. The VBE code is executed using WScript.exe.

Initialization of three-steps backdoor execution mechanism: 1) WScript.exe executes VBE code. 2) CScript.exe executes obfuscated JavaScript code. 3) PowerShell command de-obfuscates and executes POWERSTATS backdoor.

In each document you may find a deceptive text and message boxes such as “the document has been made in an old version of Microsoft”. This lure method is common and has been in use systematically by MuddyWater, with the purpose of deceiving unsuspecting victims or getting them to click on either “Enable Editing” or “Enable Content” buttons to execute malicious macro.

It makes use of a scheduled task named “MicrosoftEdge” (Scheduled task name may differ from one sample to another) running daily at 12:00 o’clock, which starts the three-steps backdoor’s execution mechanism using the following command: "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\windows\system32\wscript.exe C:\Windows\temp\Windows.vbe"

Sandworm Team modified in-registry internet settings to lower internet security... Ember Bear disables Windows Defender via registry key changes... JPIN can lower security settings by changing Registry keys... POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.

This mechanism involves creating a registry key called “MicrosoftEdge”, with a value corresponds to the command that is responsible to initialize the above-mentioned three-steps backdoor’s execution mechanism: ... "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -k 'MicrosoftEdge' -v 'c:\windows\system32\wscript.exe C:\Windows\temp\Windows.vbe'

It makes use of a scheduled task named “MicrosoftEdge” (Scheduled task name may differ from one sample to another) running daily at 12:00 o’clock, which starts the three-steps backdoor’s execution mechanism using the following command: "C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\windows\system32\wscript.exe C:\Windows\temp\Windows.vbe"

This mechanism involves creating a registry key called “MicrosoftEdge”, with a value corresponds to the command that is responsible to initialize the above-mentioned three-steps backdoor’s execution mechanism: ... "HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -k 'MicrosoftEdge' -v 'c:\windows\system32\wscript.exe C:\Windows\temp\Windows.vbe'

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution.

Obfuscated source code hosted on compromised domains is retrieved and executed as second stage for POWERSTATS Backdoor propagation. Main source code consists of PowerShell commands and variables. These variables are then divided into multiple layers of obfuscated intertwined encoded VBScript (VBE), JavaScript and PowerShell code.

Figure 6: 3cbc[.]net open-directory hosting second-stage PowerShell code masquerading as an icon.icon file ... Figure 7: Israeli domain pazazta[.]com open-directory: second-stage PowerShell code masquerading as an icon.png photo ... The decoded VBScript code is responsible for running the obfuscated JavaScript code stored in another file masquerading an image file “temp.jpg”.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Starting from Feb. 27, 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files.

T1218.003 MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload.

T1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.

Sandworm Team modified in-registry internet settings to lower internet security... Ember Bear disables Windows Defender via registry key changes... JPIN can lower security settings by changing Registry keys... POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.

As can be seen in the process tree... the PowerShell command leads to downloading and executing additional PowerShell code derived from certain compromised domains... several samples downloading the same payload, while few samples downloaded a base64 encoded of the same payload.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.