New PRB-Backdoor malware detected that can steal browsing history, steal passwords and log keystrokes

A new malware dubbed PRB-Backdoor has been found distributed via Word Documents that can gather information, steal passwords and execute multiple other malicious commands. According to the researcher behind the cybersecurity blog Security 0wnage, the malware sample was initially suspected to be related to the MuddyWater cyber espionage campaign that targeted various industries in the Middle East and Central Asia.

The security researcher notes in a blog post that ClearSky security suspected a possible link "because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine." However, after analyzing the sample, the researcher concluded that it is a different, but interesting strain of malware.

PRB-Backdoor was uncovered in a macro-laced Word document called “Egyptairplus.doc” with an MD5 hash. The malicious Macro code contains a function called Worker() that calls a number of other functions embedded in the document to run a Powershell command.

The PowerShell command first scans for a piece of data embedded in the document that begins with "**" and decodes it using Base64 to reveal a PowerShell script that shares similarities with MuddyWater code "due to the use of the Character Substitution functions."

"When the encrypted Backdoor code is passed through this script it will be decrypted into the full fledged Backdoor code," the researcher explains. "Running the sample in a sandbox did not show any network communication."

Once the malware establishes connection with the C&C server, it is capable of retrieving browsing history from different browsers including Chrome, Firefox and Internet Explorer. Other capabilities include the ability to steal passwords, modify hard disk data, retrieve system information, take a screenshot of the screen, log keystrokes and more.

The backdoor contains more than 2000 lines of code. As the main function in the code started with PRB, the backdoor is named as PRB-Backdoor.

Given the malware's diverse code and capabilities, Security 0wnage believes more samples and lures are likely in the wild and could be uncovered in the future.