SeedWorm Uses New Anti-Detection Techniques in BlackWater Camapign

Delaware, USA – May 23, 2019 – The Infamous SeedWorm hacking group (also known as MuddyWater APT) expanded their Tactics, Techniques, and Procedures and started using new methods to collect data on infected systems bypassing security solutions. The APT group operates primarily in the Middle East, but recently they also targeted organizations in Europe and North America, as well as government and military companies in Asia. Researchers at Cisco Talos analyzed the recent BlackWater cyber espionage campaign and found changes in hacker actions. Adversaries leveraged an obfuscated Visual Basic for Applications macro script to ensure persistence of the malware by adding a Run registry key. The macro was delivered via phishing emails and was password protected, which prevented it from being analyzed by antivirus solutions before the user entered the password. Since February, in addition to the dropper, a malicious attachment contained a set of PowerShell commands, which collected system data and additionally ensured the persistence of malware on the system. They also used a PowerShell stager script that downloads a PowerShell-based trojan the command-and-control server with the components based on the FruityC2 framework. This trojan collects and sends data to the attackers’ server as part of the data in the URL field complicating the detection, as data is not saved before being sent. Also, this data collection method allows attackers to detect any researchers’ request to their C&C infrastructure.

In recent months, the actions of the SeedWorm group have become much more stealthy. To make their well-known tools undetectable for security solutions, they replace variable names to avoid Yara rules and host-based signatures. You can explore the other TTPs of the group and find the rules for your security solutions to detect their malicious activity in the MITRE ATT&CK section of Threat Detection Marketplace: