This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Detecting a MuddyWater APT using the RSA NetWitness Platform

Detecting a MuddyWater APT using the RSA NetWitness Platform

HalimAbouzeid
Respected Contributor HalimAbouzeid Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2019-11-21 10:45 AM

MuddyWater

MuddyWater is a state-sponsored threat group suspected to be linked to Iran. It has mainly been targeting organizations in the Telecommunications, Government and Oil sectors across the Middle East region.

The group relied on spear phishing emails with macro infected Word documents in the past (as seen in a previous post) and has recently been using similar techniques using Excel documents in a new wave of attacks during October-November 2019.

 

In this post we will look at one of those Excel files used in the latest campaign and identify ways to detect it using RSA NetWitness Network and Endpoint.

 

The following is the file used in this article:

Filename

SHA256

Report.xls

905e3f74e5dcca58cf6bb3afaec888a3d6cb7529b6e4974e417b2c8392929148

 

 

 

Execution

In a real attack, the file would be delivered via email to its target. In our case, we will manually execute it.

This particular sample must be named “Report.xls” or would fail to execute.

By opening the file, the user will get the following message telling him to enable editing and content. This is to trick the user into enabling Macros.

execution 1.png

 

 

Once content is enabled, the following 2 files are dropped in “C:\Users\<user>\AppData\Local\Temp”.

 

execution 2.png

 

 

 

 

Endpoint Visibility

By leveraging RSA NetWitness Endpoint, we can quickly see that Excel, even though a known legitimate file, has an elevated risk score based on its behavior.

endoint1.png

 

 

 

By tracking the events on the endpoint, we can see the below behaviors:

endpoint2.png

 

  1. Excel creates the “wucj.exe” file
  2. The “wucj.exe” file is executed
  3. “wucj.exe” loads the “zdrqgswu” file, which appears to be a VB script, which leads to 2 network connections over TCP/80 to the “ampacindustries.com” domain.

 

 

By looking at the registry changes done by Excel, we can also see that a key has been created to run at startup for persistence after reboots.

 

endpoint3.png

 

 

If we look more closely at the “wucj.exe” file, we can notice that it is a known and valid Microsoft file. We can confirm this by searching for the hash on VirusTotal. The file is actually “wscript.exe” used to load VB scripts (which is in line with the behavior seen).

endpoint4.png

 

 

 

 

Network Visibility

In the previous steps, we have seen that the VB script has initiated a connection over TCP/80 to the “ampacindustries.com” domain.

If we look at the details of this network connection on RSA NetWitness Network, we can see that the domain is hitting one of the Threat Intelligence feeds.

 

network1.png

 

If we then reconstruct the session to look at the raw data, we can identify that the malware is sending within the HTTP GET Request:

  • The username: rsa
  • The hostname: DEMO-USER-1
  • The Operating System: Windows (32-bit) NT 6.01

 

network2.png

 

 

 

 

 

Indicators of Compromise

The following are some additional indicators that can be used to detect the presence of a compromise.

 

File Hashes

Filename

Hash

Report.xls

7ed6c5e8c3ec4f9499eb793d69a06758

Report.xls

b100c0cfbe59fa66cbb75de65c505ce2

Report.xls

b9ee416f2d9557be692abf448bf2f937

Report.xls

a9706c01de9364eab210ea73296bfe71

Report.xls

1cd71f39ff9fb3bf269440b63c717195

Report.xls

50ac74eb38d6fa07d9f5e788d61a92cd

Report.xls

4022bbb9df5d86226bd9a89f361c94b9

Report.xls

584479a1958a73720c4aebb52c59b21e

Report.xls

269afae11cc9837e732019a03fa02fab

Report.xls

32156247f900883d5106795ec103a624

Report.xls

e18228bee6f1cf12eaf1bb4d5be587bf

Report.xls

5ef459908d5be0672b02cdfe4f606989

Report.xls

66c783e41480e65e287081ff853cc737

Report.xls

2c3a634953a9a2c227a51e8eeac9f137

Report.xls

9d0bfb81f450de8364327a4aaa67d9b3

Report.xls

46f911014f1202e17936f627f34e6165

 

 

Command & Control Domains

URLs

hxxp://graphixo.net/wp-includes/utf8.php

hxxp://ksahosting.net/wp-includes/utf8.php

hxxps://assignmenthelptoday.com/wp-includes/utf8.php

hxxps://annapolisfirstlimo.com/editob.nvd

hxxp://ampacindustries.com/css/utf8.php

  • apt
  • detection
  • EDR
  • Endpoint
  • forenics
  • muddywater
  • ndr
  • NetWitness
  • Network
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
0 Likes

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Related Articles

MuddyWater APT Detection Using the RSA NetWitness Platform

HalimAbouzeid
HalimAbouzeid Respected Contributor
3 Likes
0 Comments
Latest Articles
  • Advanced HTTP and TLS Concepts (Video)
  • Using NetWitness to Detect Command and Control: SILENTTRINITY C2
  • FirstWatch Threat Spotlight – Remcos RAT
  • FirstWatch Threat Spotlight: The LockBit Conundrum - A Glimpse into Ransomware Warfare
  • Content Hygiene – Application Rule Alert Mapping Updates
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • FirstWatch Threat Spotlight: Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
  • The History of APT10
  • Integration of Symantec Endpoint Security with Netwitness Platform
Labels
  • Announcements 63
  • Events 8
  • Features 11
  • Integrations 12
  • Resources 66
  • Tutorials 31
  • Use Cases 27
  • Videos 118
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.