Trend Micro: MuddyWater is using a new version of it’s POWERSTATS backdoor, the v.3, via spear-phishing email
MuddyWater, the Iranian state-sponsored cyber-espionage group, has updated it’s. It has been discovered by Trend Micro cyber security experts. According to the company,’s blog, the researchers found new campaigns that appear to be the work off the APT. Analyzing them revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. One of them is a new multi-stage PowerShell-based backdoor ,called POWERSTATS v3. The spear-phishing email that contains a document embedded with a malicious macro drops a VBE file encoded with Microsoft Script Encoder. The VBE file, which holds a base64-encoded block of data containing obfuscated PowerShell script, will then execute. This block of data will be decoded and saved to the %PUBLIC% directory, under various names ending with image file extensions such as .jpeg and .png.
The cyber security experts: how the malware attacks work
POWERSTATS PowerShell code use custom string obfuscation and useless code blocks to make it difficult to analyze. According to the cyber security experts, the final backdoor code is revealed after the deobfuscation of all strings and removal of all unnecessary code. But first, the backdoor will acquire the operating system (OS) information and save the result to a log file. This file will be uploaded to the command and control (C&C) server. Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server. If such a file is found, it will be downloaded and executed using the Powershell.exe process. MuddyWater can launch also a second stage attack, by commands sent to a specific victim in an asynchronous way.