Security 0wnage

INTRODUCTION The great people at ClearSky  reached out to me a couple of days ago regarding a sample that they suspected could be related to MuddyWater.  They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine. MuddyWater Sample New Sample However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack. THE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELL The sample that was shared with me is a macro laced word document called "Egyptairplus.doc " with an MD5 hash of  fdb4b4520034be269a65cfaee555c52e .  The macro code contains a function called Worker() which calls multiple other functions embedded in the document to u

INTRODUCTION It has been over 2 months since I last wrote about MuddyWater or Temp.Zagros as named by FireEye . To be honest, I felt they were going quiet for a while; but boy was I wrong. Starting this week I have picked up some new interesting samples. Although these new samples have lots of similarities with the ones from earlier in the year, there are still some interesting aspects and additional, you guessed it, obfuscation used in the new samples. Their heavy focus on layered obfuscation and preference for PowerShell is still apparent. However, I will highlight what changed based on the samples that I have analyzed. Below are screenshots of some of the recent lure documents used by this group. All Hashes are at the end of the blog. You can see from the above screenshots that their targeting seem to continue to focus on the Middle East Region (Turkey and Iraq) and Pakistan. As mentioned in my previous blogs , these lures can give us an idea of the organizations and indust