This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • MuddyWater APT Detection Using the RSA NetWitness Platform

MuddyWater APT Detection Using the RSA NetWitness Platform

HalimAbouzeid
Respected Contributor HalimAbouzeid Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-10-15 07:25 AM

MuddyWater is an APT group who's targets have mainly been in the Middle East, such as the Kingdom of Saudi Arabia, the United Arab Emirates, Jordan, Iraq ... with a focus on oil, military, telco and government entities.

 

The group is using Spear Phishing attacks as an initial vector. The email contains an attached word document which tries to trick the user into enabling macros. The attachment's filename and its content are usually tailored towards the target, such as the language used.

 

In the below example, we will look at the behavior of the following malware sample:

SHA-256: bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd

MD5: 16ac1a2c1e1c3b49e1a3a48fb71cc74f

 

Filetype: MS Word Document

 

 

Endpoint Behavior

This specific malware sample is for an Arabic speaking victim targeted at Jordan, where the filename "معلومات هامة.doc" can translate into "important information.doc". Other variants contain content in Turkish, Pakistani ...

1-word doc.PNG

 

The file shows blurry text in Arabic, with a message telling the target to enable content (and therefore macros) to unlock the content of the document.

 

Once the user clicks on "Enable Content", we're able to see the following behaviors on RSA NetWitness Endpoint.

2- Tracking A.PNG

 

1- The user opens the file. In this case, the file was opened from the Desktop folder, but if it was from his email, it would have shown from "outlook.exe" instead of "explorer.exe"

 

2- The malware uses "rundll32.exe" to execute the dropped file (C:\ProgranData\EventManager.log), allowing to evade detection

 

3- Powershell is then used to decode the payload of another dropped file ("C:\ProgramData\WindowsDefenderService.ini") and executes it. Having the full arguments of the Powershell command, it would be possible for the analyst to use it to decode the content of the "WindowsDefenderService.ini" file for further analysis

 

4- Powershell modifies the "Run" Registry key to run the payload at startup

 

5- Scheduled tasks are also created 

 

 

After this, the malware will continue execution after a restart (this might be as a layer of protection against sandboxes).

2- Tracking B.PNG

 

6- The infected machine is restarted

 

7- an additional powershell script "a.ps1" is dropped

 

8- Some of the Windows security settings are disabled (such as Windows Firewall, Antivirus, ...)

 

 

 

By looking at the network activity on the endpoint, we can see that powershell has generated a number of connections to multiple domains and IPs (possible C2 domains).

4- Network.PNG

 

 

Network Behavior

To look into the network part in more details, we can leverage the captured network traffic on RSA NetWitness Network.

web traffic.PNG

 

We can see, on RSA NetWitness Network, the communication from the infected machine (192.168.1.128) to multiple domains and IP addresses over HTTP that match what has been originating from powershell on RSA NetWitness Endpoint.

We can also see that most of the traffic is targeting "db-config-ini.php". From this, it seems that the attacker has compromised different legitimate websites, and the "db-config-ini.php" file is owned by the attacker.

 

Having the full payload of the session on RSA NetWitness network, we can reconstruct the session to confirm that it does in fact look like beaconing activity to a C2 server.

 

beacon.PNG

 

Even though the websites used might be legitimate (but compromised), we can still see suspicious indicators, such as:

  • POST request without a GET
  • Missing Headers
  • Suspicious / No User-Agent
  • High number of 404 Errors
  • ...

 

 

 

Conclusions

We can see how the attacker is using legitimate, trusted, and possibly white-listed modules, such as powershell and rundll32, to evade detection. The attacker is also using common file names for the dropped files and scripts, such as "EventManager" and "WindowsDefenderService" to avoid suspicion from analysts.

 

As shown in the below screenshot, even though "WmiPrvSE.exe" is a legitimate Microsoft files (it has a valid Microsot signature, as well as a known trusted hash value), but due to its behavioral activity (as shown in the Instant IOC section), we're able to assign a high behavioral score of 386. It should also be noted that any of the suspicious IIOCs that have been detected could trigger a real time alert over Syslog or E-Mail for early detection, even though the attacker is using advanced techniques to avoid detection.

 

iocs.PNG

 

 

Similarly, on the network, even though the attacker is leveraging (compromised) legitimate sites, and using standard known protocols (HTTP) and encrypted payloads, to avoid detection and suspicion, it is still possible to detect those suspicious behaviors using RSA NetWitness Network, and look for indicators such as Post no Get, suspicious user agents, missing headers, or other anomalies.

 

 

 

 

Indicators

The following are IOCs that can be used to look if activity from this APT currently exists in your environment.

This list is not exhaustive and is only based on what has been seen during this test.

 

Malware Hash

SHA-256: bfb4fc96c1ba657107c7c60845f6ab720634c8a9214943b5221378a37a8916cd

MD5: 16ac1a2c1e1c3b49e1a3a48fb71cc74f

 

Domains

  • wegallop.com
  • apidubai.ae
  • hmholdings360.co.za
  • alaqaba.com
  • triconfabrication.com
  • themotoringcalendar.co.za
  • nakoserum.com
  • mediaology.com.pk
  • goolineb2b.com
  • addorg.org
  • mumtazandbrohi.com
  • pmdpk.com
  • buy4you.pk
  • gcmbdin.edu.pk
  • mycogentrading.com
  • ipripak,org
  • botanikbahcesi.com
  • dailysportsgossips.com
  • ambiances-toiles.fr
  • britishofficefitout.com
  • canbeginsaat.com

 

IP Addresses

  • 195.229.192.139
  • 185.56.88.14
  • 196.40.100.202
  • 45.33.114.180
  • 173.212.229.48
  • 54.243.123.39
  • 196.41.137.185
  • 209.99.40.223
  • 192.185.166.227
  • 89.107.58.132
  • 86.107.58.132
  • 192.185.166.225
  • 192.185.75.15
  • 94.130.116.248
  • 192.169.82.62
  • 86.96.202.165
  • 196.40.100.204
  • 192.185.166.22
  • 5.250.241.18
  • 104.18.54.26
  • 217.160.0.2
  • 192.185.24.71
  • 185.82.222.239
  • apt
  • c2
  • cnc
  • ECAT
  • EDR
  • Endpoint
  • indicators
  • ioc
  • log
  • Malware
  • middle east
  • muddywater
  • NetWitness
  • Network
  • NW
  • NWP
  • packets
  • RSA NetWitness
  • RSA NetWitness Platform
3 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Related Articles

Detecting a MuddyWater APT using the RSA NetWitness Platform

HalimAbouzeid
HalimAbouzeid Respected Contributor
0 Likes
0 Comments
Latest Articles
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.