Posts

Showing posts from March, 2018

A Quick Dip into MuddyWater's Recent Activity

Image
INTRODUCTIONSince my last blog-post on MuddyWater operations, they seem to have been continuing their activities and as expected developing/changing some of their tactics and techniques. It is still apparent their heavy focus on layered obfuscation and preference for PowerShell. However, I will highlight what changed based on the sample that I will be analyzing.
This started with the sample "idrbt.doc" - 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0 uploaded to VT on February 27, 2017.

IDRBT stands for Institute for Development and Research in Banking Technology which according to Wikipedia is an institution exclusively focused on Banking Technology. Established by the Reserve Bank of India (RBI) in 1996, the Institution works at the intersection of Banking and Technology. It is located in Hyderabad, India. Right from carrying out cutting-edge Development and Research, enabling creation of technology infrastructure to moulding the technology talent required …