A new PowerShell backdoor malware has been discovered targeting Turkey. The malware shares several similarities with MuddyWater tools. MuddyWater is a skillful cyberespionage group that has previously targeted victims across the Middle East and Central Asia.
Security experts believe that the phishing campaign distributing the new backdoor shares striking similarities with MuddyWater’s TTPs. The new backdoor is capable of harvesting information such as OS name, domain name, username, IP address, and more.
According to security researchers at Trend Micro, who discovered the new backdoor, Powerstats, MuddyWater’s own backdoor, also shares similarities with the new malware. However, unlike Powerstats, the data-stealing and C2 communications are conducted by using the API of a cloud file hosting provider.
The campaign uses documents that pose as coming from the Turkish government as lures and prompts the victims into enabling macros. The macros contain strings encoded in base52, which is known to be used by MuddyWater.
“When we analyzed further, we saw that the communication methods use files named <md5(hard disk serial number)> with various extensions depending on the purpose of the file,” Trend Micro researchers said in a blog. “In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command. The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.
The campaign targeted Turkish government organizations, primarily those connected to the energy and finance sectors. The choice of targets is yet another similarity that this campaign shares with MuddyWater. The hacker group has previously targeted attacks against multiple government entities.
Despite the numerous similarities that the new campaign and backdoor shares with MuddyWater’s TTPs, it is still unclear whether the campaign is the work of MuddyWater or threat actors with any links to MuddyWater.
“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro researchers added.