Security 0wnage

INTRODUCTION The great people at ClearSky  reached out to me a couple of days ago regarding a sample that they suspected could be related to MuddyWater.  They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine. MuddyWater Sample New Sample However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack. THE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELL The sample that was shared with me is a macro laced word document called "Egyptairplus.doc " with an MD5 hash of  fdb4b4520034be269a65cfaee555c52e .  The macro code contains a function called Worker() which calls multiple other functions embed...

INTRODUCTION It has been over 2 months since I last wrote about MuddyWater or Temp.Zagros as named by FireEye . To be honest, I felt they were going quiet for a while; but boy was I wrong. Starting this week I have picked up some new interesting samples. Although these new samples have lots of similarities with the ones from earlier in the year, there are still some interesting aspects and additional, you guessed it, obfuscation used in the new samples. Their heavy focus on layered obfuscation and preference for PowerShell is still apparent. However, I will highlight what changed based on the samples that I have analyzed. Below are screenshots of some of the recent lure documents used by this group. All Hashes are at the end of the blog. You can see from the above screenshots that their targeting seem to continue to focus on the Middle East Region (Turkey and Iraq) and Pakistan. As mentioned in my previous blogs , these lures can give us an idea of the organizations and indust...

INTRODUCTION Since my last blog-post  on MuddyWater operations, they seem to have been continuing their activities and as expected developing/changing some of their tactics and techniques. It is still apparent their heavy focus on layered obfuscation and preference for PowerShell. However, I will highlight what changed based on the sample that I will be analyzing. This started with the sample "idrbt.doc " -  009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0  uploaded to VT on February 27, 2017. IDRBT stands for Institute for Development and Research in Banking Technology which according to Wikipedia is an institution exclusively focused on Banking Technology. Established by the Reserve Bank of India (RBI) in 1996, the Institution works at the intersection of Banking and Technology. It is located in Hyderabad, India. Right from carrying out cutting-edge Development and Research, enabling creation of technology infrastructure to moulding the ...