See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/334816612

MuddyWater APT Group and A Methodology Proposal for Macro Malware

Analysis

Article in Bilişim Teknolojileri Dergisi · July 2019

DOI: 10.17671/gazibtd.512800

CITATIONS READS

0 970

2 authors:

Mevlut Serkan Tok Baris Celiktas

Gazi University Istanbul Technical University
11 PUBLICATIONS 7 CITATIONS 16 PUBLICATIONS 17 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SİBER GÜVENLİK KAVRAMININ GELİŞİMİ VE TÜRKİYE ÖZELİNDE BİR DEĞERLENDİRME View project

THE RANSOMWARE DETECTION AND PREVENTION TOOL DESIGN BY USING SIGNATURE AND ANOMALY BASED DETECTION METHODS View project

All content following this page was uploaded by Mevlut Serkan Tok on 01 August 2019.

The user has requested enhancement of the downloaded file.

BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 253

MuddyWater APT Group and A Methodology Proposal for

Macro Malware Analysis
Araştırma Makalesi/Research Article

1 2
Mevlut Serkan TOK , Baris CELİKTAS *
1
Cyber Security Department, Institute of Computer Engineering, TOBB ETU, Ankara, Turkey
2
Cyber Security Engineering and Cryptography, Institute of Informatics, ITU, Istanbul, Turkey
[email protected], [email protected]
(Geliş/Received:14.01.2019; Kabul/Accepted:25.07.2019)
DOI: 10.17671/gazibtd.512800

Abstract— Macros are consisted of instructions and commands mainly used to automate tasks, embed functionality and
provide customization of Microsoft Office documents. However, they have been exploited by malicious hackers by
creating malware since they were introduced. Recently, Advanced Persistent Threat (APT) Groups have generally used
macros as attack vectors as well. Since 2017, Middle Eastern countries’ governmental institutions, and strategically
important oil, telecommunication and energy companies have been targeted by the APT Group probably affiliated with
Iran, and the group is named as MuddyWater by analysts due to the techniques they utilized to cover their tracks. The
group has generally conducted attacks via macro malware. In this work, we aimed to raise awareness regarding
MuddyWater APT Group and provide a detailed methodology for analyzing macro malware. The attributions, strategy,
attack vectors, and the infection chain of MuddyWater APT Group have been explained. In addition, a malicious
document, targeting Turkey and Qatar, detected first on 27 November 2018 have been analyzed, findings and proposals
have been presented for cybersecurity professionals.

Keywords— Macro Malware, MuddyWater, Advanced Persistent Threat, Malware Analysis, Digital Forensics

MuddyWater APT Grubu ve Makro Zararlı Yazılım Analizi

Metodolojisi Önerisi
Özet— Microsoft Office belgelerinin özelleştirilmesini ve sık kullanılan görevlerin otomasyonunu sağlayan makrolar
uzun süredir kötü niyetli kişilerce zararlı yazılım üretiminde kullanılmaktadır. Son yıllarda ileri düzey kalıcı tehdit
gruplarınca da makro zararlı yazılımının atak vektörlerinde kullanıldığı bilinmektedir. 2017 yılından beri Ortadoğu
ülkelerinin kamu kurumlarını ve enerji, telekomünikasyon, petrol gibi stratejik alanlarda faaliyet gösteren şirketleri
hedef alan, analistler tarafından kendilerini gizleme eğilimleri nedeniyle MuddyWater olarak adlandırılan ve İran ile
ilişkilendirilen grup da makro zararlı yazılımı kullanmakta ve Türkiye de dahil olmak üzere bölge ülkelerinde
eylemlerini sürdürmektedir. Bu çalışmamızın temel amacı MuddyWater ileri düzey kalıcı tehdit grubu ile ilgili
farkındalığı arttırmak ve örnek bir makro zararlı yazılım analizi metodolojisi sunmaktır. Bu kapsamda, MuddyWater
grubunun özellikleri, eylem stratejisi, atak vektörleri ve bulaşma zincirine yönelik elde edilen bilgiler paylaşılmıştır,
ayrıca ilk defa 27 Kasım 2018’de uzmanlarca tespit edilmiş, Türkiye ve Katar’ı hedef aldığı değerlendirilen bir zararlı
dokümanın ayrıntılı analizi yapılmış, bulgular ve öneriler sunulmuştur.

Anahtar Kelimeler— Makro Zararlı Yazılımı, MuddyWater, İleri Düzey Kalıcı Tehdit, Zararlı Yazılım Analizi, Adli
Bilişim
254 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019

1. INTRODUCTION thus a low detection profile and forensic footprint are

retained [8].
Today, the economic damage and leakage of mission
critical data is a serious social problem due to the APT 2.1. Detection
attacks [1]. These attacks can affect the world at large,
and we can only be informed when it reaches the level of First public report regarding the group was published on
damaging critical infrastructure due to using sophisticated 18 September 2017. First public technical analysis was
attack techniques such as zero-day [2]. published on 26 September 2017 by Malwarebytes and
the target of the attack was announced to be Saudi Arabia
A macro is a series of commands and instructions based [9]. Some malicious documents detected in the ecosystem
on Visual Basic for Application introduced with dates to February 2017, seven months before the first
Microsoft Excel 5.0 in 1993 and used to automate tasks public report [10].
for Microsoft Office applications and provide so-called
script engines to create and run macros [3]. Macros can be 2.2. Naming
used to embed various types of functionality within
documents such as accessing the command line, For the sake of efforts to hide and cover their tracks, the
embedding pop-up calendars and so on [4].
alias of “MuddyWater” was given to the group on 14
November 2017 by PaloAlto analysts and since then it has
However, same commands and instructions sets can be been used to describe the group [10]. “TEMP. Zagros”
used to embed malicious functionality within documents alias has also been used to describe the group after finding
as well [5]. The first and distinctive instance was Melissa a file with the same name [11].
virus detected in March 1999 [6]. In the second quarter of
the year 2017, there was about 1.250.000 macro malware
2.3. Affiliation
totally in the cyber ecosystem and there was about
1.600.000 macro malware detected in the second quarter
of 2018 [7]. During the analysis conducted by Reaqta specialists, a
Tehran located IP address was detected while dealing
with a real IP address (not a proxy or a victim used to
Macro malware is also used by APT groups and the most
conceal the real address). This evidence was evaluated as
recently notorious one is MuddyWater APT Group, first
a mistake from one of the group’s operators [8].
detected in September 2017 [8]. Since then, the group has Considering targeted countries, identities of the victims,
targeted Middle Eastern countries’ governmental efforts of gathering and uploading of information to
institutions, NGOs, oil, and energy companies. Turkey
Command and Control (C&C) servers [12], efforts to
has been concurrently targeted as well.
cover tracks and detected Tehran located IP address, it
appears that the group’s attacks have specific
With this motivation, we strove for conducting the study characteristics of APTs [13], and the main purpose of the
on MuddyWater APT Group and analyzed a malicious group is cyber espionage rather than cybercrime. Thus, it
document sample, targeting Turkey and Qatar, detected can be reasonably concluded that the group has been
on 27 November 2018. affiliated with Iran and controlled by the state.

The basic contributions of this work to the literature are as 2.4. Targets
follows. We will present a review of MuddyWater APT
Group’s activities. We will also provide a detailed
Attacks in 2017 targeted Georgia, India, Iraq, Israel,
methodology in terms of macro malware analysis by
Pakistan, Saudi Arabia, Turkey, United Arab Emirates,
means of analyzing a sample malicious document step by
and the USA. In 2018, Turkey, Pakistan, and Tajikistan
step.
were mainly targeted [12]. Government institutions,
telecommunication and oil companies, energy companies
The rest of the work is as follows. Section II defines and were targeted [8] but no clear information was obtained
provides an overview of MuddyWater APT Group during the research to find out which institutions and
activities. Section III presents the analysis of the companies were hit.
malicious document that has been recently taken. Section
IV is about the limitations and Section V concludes with 2.5. Attack Vectors
future directions and recommendations.
MuddyWater has generally used malicious Word
2. MUDDYWATER APT GROUP documents and spear phishing emails to infect their
targets, as Duqu and Red October APT groups did before
MuddyWater APT Group was an active threat actor in [14]. MuddyWater attacks are characterized using a
2017. The group targeted victims in the Middle East slowly evolving PowerShell-based first stage backdoor
within memory vectors leveraging on PowerShell. In “POWERSTATS” [15]. The attack has continued with
attacks, the creation of new binaries was not required, only incremental changes in the tools and techniques
BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 255

used. The delivery methods of malicious scripts are 2.6. Infection Chain
various such as downloading from a remote exploited site
or embedding to macro codes [10]. Documents used have been blurred to victims, and
victims have been enforced to enable macros to make
The group has used the decoy documents to impersonate documents readable. After enabling macros, malicious
government organizations as shown in Figure 1. Each of codes, mostly based on visual basic, have been executed,
documents is written in the language of the targeted and infection mechanism has been triggered [12].
country. Most of the documents have also included
government emblems and legitimate signatures [16]. In many cases, after triggering, a TCP connection has
Thus, original documents obtained before may have been been established to a remote server and malicious
used during attacks. PowerShell files have been downloaded to the victim’s
computer for post-exploiting [18]. Malicious codes for
post-exploiting have hardly ever been embedded to
macros [19].

Some backdoors created support rebooting, shutdown,

wiping drives, encrypting, and stealing information on
victim’s computer. The communication between the
victim and C&C servers have been encrypted [17].

2.7. Infrastructure

The group has exploited several websites which have

vulnerabilities such as unpatched version and has used
these websites as proxy servers. The group’s operators
have never communicated directly with victims or proxy
servers; instead, they have only interacted with C&C
servers. Victims have communicated directly with
randomly chosen proxy servers as shown in Figure 3 [8].

Figure 1. Decoy Documents

Malicious documents have been attached to tailor-made,

victim-specific spear phishing emails considered as
legitimate in order to gain the trust of victims, and these
emails have been sent only to specific victims in targeted
organizations (see Figure 2) [17].

Figure 3. The Communication Infrastructure of

MuddyWater APT Group

2.8. MuddyWater Documents Targeting Turkey

Fifteen malicious documents affiliated with MuddyWater

APT Group have targeted Turkey up to now [16]. Details
of these documents are shown in Table 1.
Figure 2. Spear Phishing Email
Table 1. The Group’s Malicious Documents
To avoid detection, obfuscation methods have been
commonly implemented by malware writers. Date Name MD5
MuddyWater Group has obfuscated malicious codes as 2015 Yılı Ar-Ge 781bbdb421a473206fc3
well. Base64 encoding, character replacement, reversing, 18.01.2018 Faaliyetleri Anketi 7919f28a27db
XOR encoding, Powershell Environment Variables, Sonuçları.doc
parameter binding methods, and Daniel Bohannon’s faa4469d5cd90623312c
18.01.2018 ngn.tr.doc
86d651f2d930
Invoke-Obfuscation methods have been detected during
KEGM- e87ea47e91540700b310
the analysis [8], [17]. 28.01.2018
CyberAttack.doc 82515d2dc802
ffb8ea0347a3af3dd2ab1
28.02.2018 MIT.doc
b4e5a1be18a
256 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019

cc019683021a4ff05e84
03.03.2018 IL-1801.doc
860b62676dc1
güvenlikyönergesi ff46053ad16728062c6e
05.03.2018
.doc 7235bc7e8deb
Türkiye f84914c30ae4e6b9b1f2
05.03.2018 Cumhuriyeti 3d5c01e001ed
Kimlik Kartı.doc
Invest in b8939fa58fad8aa1ec27
05.03.2018
Turkey…doc 1f6dae0b7255
Uyuşturucu f2b5373f32a4b9b3d347
04.05.2018
kaçakçılığı.doc 01ff973ba69c
f00fd318bf58586c29ab Figure 4. The Screenshot before Enabling Macros
15.05.2018 Gizli koşullar.doc
970132d1fd2a
3c2a0d6d0ecf06f1be9a
15.05.2018 yönerge.doc
d411d06f7ba8
aa564e207926d06b8a59
15.05.2018 Early election.doc
ba50ca2c543d
eb69fb45feb97af81c2f3
21.05.2018 önemli rapor.doc
06564acc2da
Şikayetler ve 5a42a712e3b3cfa1db32
10.07.2018
eleştiriler.doc d9e3d832f8f1
0bf52163f51e0fd59bc0
16.07.2018 Onemli Rapor.doc
676126ecaffe

3. THE ANALYSIS OF A RECENT MALICIOUS

DOCUMENT

3.1. Review Figure 5. The Screenshot after Enabling Macros

The first submission date of the sample malicious 3.2. Malware Analyzing Methodology Design
document on VirusTotal is 27 November 2018. The first
public report was published on 29 November 2018 [20]. In order to improve efficiency, live forensic analysis
Original name of the document is “‫ستمارة‬.doc” but we methods were employed [22]. All tests were conducted on
named it as “form.doc” to ease coding (MD5 or SHA a Microsoft Office 2017 installed on Windows 7 for the
hash digests didn’t be changed after renaming). x64-based virtual machine. Local IP address was set as
192.168.1.24. Audit object access was enabled in group
According to analysts, the attack, targeted Turkey and policy, and necessary audit permission was given to user
Qatar, had common characteristics of advance persistent account in order to get healthy security logs. Snapshots
threats. No malicious binary was written on disc and the were taken to provide secure baselines for repeated
attack was conducted with legal applications [21]. analysis. No commercial tool except Microsoft Office
2017 and VMware Workstation Professional was used
during analysis to provide researchers insights regarding
The document was consisted of a submission form to
open-source tools.
attend “The Second Conference of the Association of
Parliamentarians for Al Quds” which indeed took place in
Istanbul on 14-15 December 2018. The document forces A holistic approach was implemented to conduct a
the reader to enable macros (see Figure 4), so did detailed analysis but only processes verified are explained
previous MuddyWater documents. The document [23], [24], [25]. The order of analyzing steps is given
includes emblems of legal organizations as shown in below.
Figure 5, the contact phone numbers and emails are also
legitimate, which was confirmed by checking i. The metadata was obtained with ExifTool.
Parliamentarians for Al-Quds organization’s website. ii. The malicious macro code was extracted with
OfficeMalScanner.
We have strongly emphasized that there is no clear iii. The malicious macro code was de-obfuscated with
evidence to affiliate the document with MuddyWater a PowerShell script created.
despite there are many similarities. But there is no doubt iv. The malicious document was executed, and
that the methodology used to analyze the document will macros were enabled.
be a major contribution to further studies regarding macro v. The network activity of processes was detected by
malware analyzing. Sysinternals TCPView. Packet traffic was captured with
Wireshark, and then packets were analyzed.
vi. Process tree and mutexes were obtained with
Sysinternals procexp.
BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 257

vii. The malicious script file downloaded from the

C&C server was analyzed.
viii. Files dropped by malicious script were checked on
Temp folder.
ix. Registry snapshots were taken with Sysinternals
Regshot x64 Unicode before and after the infection.
x. The pieces of evidence found were crosschecked
with Windows security event logs by using Event
Explorer to reveal unidentified Indicators of Compromise
(IOCs). Especially 4702, 4660, 4663 Process ID (PID)
events were considered.
xi. The document and malicious script were uploaded Figure 7. The Scanning Document with
to VirusTotal and results were discussed. OfficeMalScanner

3.3. Metadata The extracted macro code was evaluated in detail. As

obfuscation methods were commonly used in malicious
The metadata of malicious document was obtained via macros [26], some methods were detected in the
ExifTool as shown in Figure 6. There are contradictions respective document’s macro code as well, as shown in
regarding “Last Printed” and “File Create Date” Figure 8.
information (Table 2). This situation occurs when a
document is printed and then saved as a new document.
Unless this new document is reprinted, it will have
previous template’s “Last Printed” timestamp. In addition,
there are tools to remove or edit the metadata of Microsoft
Word documents such as MetaClean.

Figure 8. The Macro Code Attached to Document

Firstly, there is cmdline invoking with parameters. Then

Figure 6. The Metadata Obtained from ExifTool cmdline invokes PowerShell with some other parameters
and some expressions are echoed to bypass antivirus
Table 2. The Metadata of the Malicious Document. filters and cmdline monitoring.

File Create Date 2018:11:21 15:18:00 Deflate and Base64 encoding were detected and to decode
File Modify Date 2018:11:22 12:25:00 “BcExEkAwEAXQq+hQSHotCg2FgjbWYolNJv6M63uv
Last Printed 2018:10:19 17:14:00 75asGPirxvViQjYwzMxr44UVpWnDpz64bUISPYr8BG
Code Page Windows Arabic Jt7SOUwht2bA7OeNE7klGGdVEsvZQkIi9/” expression,
Last Modified By Mohamed Bennabszllah a script was created. After decoding of obfuscated
Author Parliament Quds expression, downloading string from a remote server code
File Type DOC was found out as shown in Figure 9.
Software Microsoft Office Word

3.4. Analysis before Enabling Macros

In order to detect whether there were any scripts attached

to the document, the document was scanned on Figure 9. The Screenshot of the De-Obfuscation Process
OfficeMalScanner and the visual basic macro code was
found as shown in Figure 7.
In addition, randomized case usage to bypass simple
filters and parameter binding methods were detected on
the macro code. Since PowerShell can complete missing
parameters, malware writers often code parameters as
scrimpy expressions. Scrimpy and complete parameters
are given below respectively.

pOwErSheLl -NoeX -nOlo -NOproFiLe -nOnIn

-eXeCuTI BypAss -wiNdoWstYL hiDden –
258 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019

powershell -noexit -nologo -noprofile First packets captured on Wireshark were DNS queries as
-noninteractive -executionpolicy bypass expected (see Figure 13). The HTTP GET request was
-windowstyle hidden sent to the website from the victim and then downloading
the malicious script (cscript) process was started as shown
-NoExit: Don’t exit after running startup commands. in Figure 14.
-NoLogo: Hide the copyright banner at startup.
-NoProfile: Don’t load the PowerShell profile.
-NonInteractive: Don't present an interactive prompt to
the user.
-ExecutionPolicy Bypass: Bypass the policies.
-WindowStyle Hidden: Hide the session’s window.

URL and its IP address were detected as hxxp://

microsoftdata.linkpc.net/api/cscript and 18.221.254.112
respectively. The malicious script was also detected on
that website as shown in Figure 10. Some other indicators Figure 13. DNS Packets Sent by Victim to Get an IP
of compromise (IOCs) and functions were detected on Address of C&C Server (provided by Wireshark)
this (cscript) script.

Figure 14. The Communication Between Victim and

C&C

Figure 10. The Script Detected on the Malicious Website 3.5.2. Registry Comparison: Before and After Enabling
Macros
3.5. Analysis after Enabling Macros
There were eight keys added to the registry after enabling
The pre-enabling macro analysis was completed, IOCs of macro and “rYF1pgeADA” named schedule task
detected were noted down. Registry hive was saved with record was detected as shown in Figure 15. Creating a
Regshot. Process Explorer was initiated. TCPview and scheduled task is a well-known persistency mechanism in
Wireshark were activated. Then macros were enabled on terms of malware writing. Thus, this IOC was noted down
Microsoft Word, the document became readable as and “analyzing scheduled tasks” step was added to the
expected. analysis plan.

3.5.1. Process Tree and Network Connection

Upon enabling macros, WINWORD.exe started cmd.exe

(PID 1188) child process. Cmd.exe started powershell.exe
(PID 688) child process and another powershell.exe (PID
3020) child process was created as well (see Figure 11).
Powershell.exe (PID 688) process established a TCP
connection to 18.221.254.112 IP address as expected (see
Figure 12). Figure 15. The Keys Added to the Registry After
Enabling Macros (provided by Regshot)

3.6. The Analysis of Downloaded PowerShell Code

The downloaded “cscript” has many malicious functions

and main activities can be summarized as keylogging and
Figure 11. The Process Information (obtained from
stealing cookies, sessions, and logins from Chrome,
process explorer)
Mozilla, Opera and sending collected data to the C&C
server. In addition, the script creates a scheduled task
including squiblydoo attacks to enable persistence and
creates global mutex to prevent multiple executions. To
communicate with local databases of browsers, script
downloads SQLite.dll files to the victim’s computer as
Figure 12. TCP Connections (obtained from TCPview) well.
BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 259

3.6.1. Keylogging Cscript has capabilities of stealing cookies, sessions and

login information of Chrome, Mozilla and Opera
Keylogging function is based on Windows API function browsers (see Figure 20). It collects and records data.
GetAsyncKeyState (see Figure 16). This type of Before posting to C&C server, it encodes data and sends
keylogger may be easily created since various examples to specific URLs as shown in Figure 21.
are available on the internet.

Figure 20. The Script for Stealing Cookies of Google

Chrome Web Browser

Figure 16. The Keylogger Script Embedded into the

Downloaded Malicious Script

Cscript creates a file to path C:\Users\[username]\

AppData\Local\Temp\ named as rYF1pgeADA.log and
records activities and keys pressed (see Figure 17).

Figure 21. The Encoded Data Sent to the C&C Server

3.6.3. Creating Mutex

The script creates a “rYF1pgeADA” global mutex to

prevent multiple executions. The name of mutex was also
noted down as IOC. In Windows OS, mutexes are called
Figure 17. Recorded Logs of Keylogger as “mutant” and mutants created may be easily detected
with Sysinternals Process Explorer as shown in Figure 22.
The script encodes log file and sends to
“hxxp://microsoftdata.linkpc.net/api /logger/submit” URL
address as shown in Figure 18. The encoding method is
defined in URL POST function as shown in Figure 19.
All communication between the victim and C&C server is
encoded with the same function to prevent sniffing.

Figure 22. Global Mutex Created After Infection

(obtained from procexp)

3.6.4. Creating Scheduled Task

To provide persistence, “cscript” enables task scheduler

Figure 18. The Script for Sending Encoded Keylogger COM API to create a scheduled task named as
Records to C&C server “rYF1pgeADA” (see Figure 23). The details of the
persistence mechanism are presented in section 3.8.

Figure 19. The Script for Encoding Communication

Between the Victim and the C&C server

3.6.2. Stealing Cookies, Sessions, and Logins Figure 23. The Script for Creating the Scheduled Task
260 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019

3.7. Behavioral Tree of Malware 3.8. Persistence Mechanism

After double-clicking on the document, PID 2720 In order to enable the persistence, cscript created a
WINWORD.exe was activated. Upon enabling macros, scheduled task named “rYF1pgeADA”. Daily on 8:24
child process PID 1188 cmd.exe was activated and it pm, rYF1pgeADA.xml file (includes malicious scripts
started PID 688 child process powershell.exe with same as cscript as shown in Figure 25) was executed by
parameters (see Figure 24). This process established the regsrv.32 (see Figure 26). This method is called
connection to 18.221.254.112 IP address and downloaded squiblydoo attack and was used in campaigns targeting
and executed malicious “cscript” and by doing so, this governments before [28].
process read cookies, loaded Task Scheduler COM API,
and dropped SQLite.dlls created .xml and .log files as
shown in Table 3.

Figure 25. The XML File Used in the Persistence

Mechanism
Figure 24. The Action of Processes

Dropping files to TEMP folders is a prevalent method

since TEMP folders have read and write access for the
currently logged-in user, solving any file system
permission errors. In addition, in the case of a malware
installation failure, the operating system removes any Figure 26. Scheduled Task Created After Infection
traces of the files in TEMP folders and prevents a
corrupted version of malware being collected by analysts
Since the malicious script is run by the legitimate
[27].
Microsoft binary, this method provides elusion from the
many of detection and blocking mechanism inherent to
Powershell.exe (PID 688) process also sent the data to whitelisting solutions [28], including group policy
18.221.254.112 IP address. All network communication management based on AppLocker [29].
was established and conducted by this process. It also
initiated child process powershell.exe (PID 3020) and this
3.9. Infection Chain
process modified some files in the AppData\Roaming
path and made some changes in registry hive. Some other
legal child processes (csc.exe, cvtres.exe, splwow64.exe) After the analysis, we accomplished to reveal the
were ignored as no direct contribution to malicious infection chain of this macro malware document as shown
activities was detected. in Figure 27.

Table 3. Files Detected on Disc after Infection

File Path and Name Type

C:\Users\[username]\AppData\Local\Temp .dll
\lib_x64\System.Data.SQLite.dll
C:\Users\[username]\AppData\Local\Temp .dll
\lib_x64\System.Data.SQLite.Interop.dll
Figure 27. The Infection Chain of Macro Malware
C:\Users\[username]\AppData\Local\Temp sqlite
\201812041014 (Filename is created with
timestamp of system) Firstly, the document arrives at a victim as the attachment
C:\Users\[username]\AppData\Local\Temp xml of an email. The victim tries to open the document. After
\rYF1pgeADA.xml enabling macros, the visual basic script is executed, and it
C:\Users\[username]\AppData\Local\Temp log invokes PowerShell script. A connection is established to
\rYF1pgeADA.log C&C server by this script and a multi-functioned
malicious PowerShell script is downloaded to victim’s
BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 261

computer. Finally, downloaded script is executed in the

victim’s computer and stolen data is sent to the C&C
server.

3.10. Indicators of Compromise

All IOCs revealed during the analysis were presented in

Table 4.

Table 4. Revealed IOCs

Figure 29. The screenshot of “cscript” file scanned on
File Name ‫إستمارة‬.doc (iistmar -> Form) VirusTotal
MD5 bba017e5c34c1de3ef0fb0d93195da70
File Name cscript 5. LIMITATIONS
MD5 3ab1d57658af32f2322600f1750d0231
URL hxxp://microsoftdata.linkpc.net/assesst/ sqlite In terms of MuddyWater APT Group, several technical
hxxp://microsoftdata.linkpc.net/api /cscript
hxxp://microsoftdata.linkpc.net/api /pscript
reports were studied, and various results were analyzed
hxxp://microsoftdata.linkpc.net/api during research, but no comprehensive analyzing
/logger/submit methodology or effort of sharing know-how was detected.
hxxp://microsoftdata.linkpc.net/api/opera In addition, no tangible information was obtained
/submit regarding infection or targeting statistics.
hxxp://microsoftdata.linkpc.net/api
/chrome/submit
We examined threat announcements published on
hxxp://microsoftdata.linkpc.net/api
/firefox/submit
TRCERT website. Only one threat (TR-14-001)
IPv4 18.221.254.112 announced on 14 July 2014 was found regarding macro
Global\rYF1pgeADA
malware [30]. As for Turkish publications, only one
Mutex
report was found but this report was a clear and detailed
Scheduled rYF1pgeADA
one [16].
Task Name
There are various pre-paid tools and solutions to analyze
3.10. VirusTotal Scanning Results
malicious documents which automate analyzing steps to
improve efficiency and speed. The open source tools have
The last uploading of IOCs into VirusTotal was done by been deliberately used not only to support low budgets
us on 27 December 2018, a month after the first detection. but also to provide insights to researchers and encourage
Despite a month passed, many antivirus solutions still do them to take advantage of these free tools.
not recognize the “‫إستمارة‬.doc” file as malicious (see
Figure 28). Similarly, they recognize the “cscript” file as
Live forensics methods made our analysis practical and
clean (see Figure 29).
efficient as we carried out tests on a virtual machine, but
in real-world scenarios, the order of volatility must be
considered. Some initial data may be collected on a live
machine, but bitwise images of disc and memory must be
acquired [31], these images are called “best evidence” and
further analysis must be conducted on them.

Considering published reports regarding the case of

“Parliaments Al-Quds”, all the IOCs were identified
during our analysis. Thus, it can be concluded that our
methodology is effective and concise. However, we
Figure 28. The Screenshot of “‫ستمارة‬.doc” File Scanned strongly recall that even basic principles have never been
on VirusTotal changed, each malware is unique, and every analysis must
be done in a unique way.

6. CONCLUSION

It is known that MuddyWater has been operating for more

than a year and their attack vectors have not changed yet.
Therefore, it can be concluded that attack vectors are still
effective and useful. In future, macro malware is expected
262 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019

to survive and cause further damage to the cyber Science and Mathematics, 1(2), 2008.
ecosystem.
[7] C. Beek et al., McAfee Labs Threats Report, Santa Clara, CA,
2018
In addition, CERTs have been generally avoided reporting
detected threats to the public or share with each other. But [8] Internet: A dive into MuddyWater APT targeting Middle-East,
a strong coordination and experience exchange between https://reaqta.com/2017/11/muddywater-apt-targeting-middle-
CERT teams are also seen as mandatory to prevent the east/, 15.12.2019
attack regardless of which institution is attacked. We [9] Internet: Elaborate scripting-fu used in espionage attack against
predict that published attack reports will not damage Saudi Arabia Government entity, https://
repetition but rather it will enhance the efforts of securing blog.malwarebytes.com/threat-analysis/2017/09/ elaborate-
the perimeter against APT groups. scripting-fu-used-in-espionage-attack-against-saudi-arabia-
government_entity/, 29.12.2019
Updated antivirus firewalls, and other endpoint security [10] Internet: T. Lancaster, Muddying the Water: Targeted Attacks in
solutions are well-known measures against attacks. But as the Middle East, https://unit42. paloaltonetworks.com/unit42-
explained, there are some methods to bypass group policy muddying-the-water-targeted-attacks-in-the-middle-east/,
and security measures, thus, this practice cannot be 10.12.2018
satisfactory. In addition, users access their business
emails while they are out of office. Hence, hardening [11] Internet: MuddyWater, https://attack.mitre.org/groups /G0069/,
institutional networks won’t be adequate, either. All users 05.12.2018
must be informed about macro malware and APT groups’ [12] Internet: J. Horejsi, Campaign Possibly Connected to
strategies. MuddyWater Surfaces in the Middle East and Central Asia,
https://blog.trendmicro.com/trendlabs-security-
In summary, this study suggests a better perspective to the intelligence/campaign-possibly-connected-muddywater-surfaces-
users, software developers, and security administrators middle-east-central-asia/, 26.12.2018
about macro malware and the key features of the [13] F. Li, A. Lai, D. Ddl, “Evidence of Advanced Persistent Threat: A
MuddyWater. We believe that several people involved in case study of malware for political espionage”, 2011 6th
the software development business will be able to design International Conference on Malicious and Unwanted
APT based Attack Detection and Prevention Tool by Software, Fajardo, 102-109, 18-19 October, 2011.
examining the content of our study. We also think that our
study will be a guide for future academic studies [14] N. Virvilis, D. Gritzalis, T. Apostolopoulos, “Trusted Computing
especially on macro malware. vs. Advanced Persistent Threats: Can a Defender Win This
Game?”, 2013 IEEE 10th International Conference on
Ubiquitous Intelligence and Computing and 2013 IEEE 10th
7. ACKNOWLEDGEMENTS
International Conference on Autonomic and Trusted
Computing, Vietri sul Mere, 396-403, 18-21 December, 2013.
We would like to thank to Prof. Dr. Ali Aydın Selçuk for
his guidance, feedback and valuable support; to Dr. [15] Internet: MuddyWater: Hackers Target Middle East Nations,
Süleyman ÖZKAYA for providing insights and malicious https://securereading.com/muddywater-hackers-target-middle-
document samples. east-nations/, 06.01.2019

[16] H. Güleç, G. Güreşçi, MuddyWater APT Analiz Raporu, Adeo,

REFERENCES Ankara, 2018.

[17] Internet: S. Singh et al., Iranian Threat Group Updates Tactics,

[1] J. Choi, C. Choi, H. M. Lynn, P. Kim, “Ontology Based APT Techniques and Procedures in Spear Phishing Campaign,
Attack Behavior Analysis in Cloud Computing”, 2015 10th https://www.fireeye.com/blog/threat-research/2018/03/iranian-
International Conference on Broadband and Wireless threat-group-updates-ttps-in-spear-phishing-campaign.html,
Computing, Communication and Applications (BWCCA), 05.01.2019
Krakow, 375-379, 2015.
[18] Internet: MuddyWater Infection Chain, https://brica.
[2] S. Çelik, B. Çeliktaş, “Güncel Siber Güvenlik Tehditleri: Fidye de/alerts/alert/public/1239693/experts-at-yoroi-cybaze-z-lab-
Yazılımlar”, CyberPolitik Journal, 3(5), 105-132, 2018. analyzed-muddywater-infection-chain/, 19.12.2018
[3] S. Cass, “Anatomy of malice [computer viruses]”, IEEE [19] Internet: Trend Micro, Another Potential MuddyWater Campaign
Spectrum, 38(11), 56-60, 2001. uses Powershell-based PRB-Backdoor,
[4] L. Garber, “Melissa Virus Creates a New Type of Threat”, https://blog.trendmicro.com/trendlabs-security-
Computer, 32(6), 16-19, 1999. intelligence/another-potential-muddywater-campaign-uses-
powershell-based-prb-backdoor/, 06.01.2019
[5] R. Bearden, D. C. Lo, “Automated microsoft office macro
malware detection using machine learning”, 2017 IEEE [20] Internet: Spear-phishing campaign targeting Qatar and Turkey,
International Conference on Big Data (Big Data), 4448-4452, https://reaqta.com/2018/12/spear-phishing-targeting-qatar-turkey/,
Boston, MA, 11-14 December, 2017. 06.01.2019

[6] E. Daoud, I. Jebril, “Computer virus strategies and detection [21] Trapmine, Threat Report: Parliament Quds Turkiye ve Katari
methods”, International Journal of Open Problems in Computer Hedefleyen Siber Espiyonaj Faaliyeti, 2018
 BİLİŞİM TEKNOLOJİLERİ DERGİSİ, CİLT: 12, SAYI: 3, TEMMUZ 2019 263

[22] L. Zhang, D. Zhang, L. Wang, “Live digital forensics in a virtual and Networks (DSN), 490-501, Luxembourg City, 25-28 June,
machine”, 2010 International Conference on Computer 2018.
Application and System Modeling (ICCASM 2010), 4, 328-
[27] Internet: C. Elisan, Why Malware Installers Use Tmp Files and
332, Taiyuan, 22-24 October, 2010.
The Temp Folder When Infecting Windows,
[23] B. Celiktas, M.S. Tok, N. Unlu, “Man In the Middle (MITM) https://www.rsa.com/en-us/blog/2017-04/why-malware-installers-
Attack Detection Tool Design”, International Journal Of use-tmp-files-and-the-temp-folder, 27.12.2018
Engineering Sciences & Research Technology, 7(8), 90-100,
[28] Internet: R. Nolen et al., Threat Advisory: “Squiblydoo”
2018.
Continues Trend of Attackers Using Native OS Tools to “Live off
[24] B. Celiktas, N. Unlu, E. Karacuha, “An Anti-Ransomware Tool the Land”, https://www. carbonblack.com/2016/04/28/ threat-
Design by Using Behavioral and Static Analysis Methods”, advisory-squiblydoo-continues-trend-of-attackers-using-native-
International Journal of Scientific Research in Computer Science os-tools-to-live-off-the-land/, 17.12.2018
and Engineering, 6(2), 1-9, 2018.
[29] Internet: AppLocker Bypass Techniques, https://
[25] B. Celiktas, “The Ransomware Detection and Prevention Tool evi1cg.me/archives/AppLocker_Bypass_Techniques.html,
Design by Using Signature and Anomaly Based Detection 26.12.2018
Methods”, M.Sc. Thesis, Istanbul Techical University,
[30] Internet: TR-14-001 (E-Posta Üzerinden Yayılan Tehdit “CVE-
Informatics Institute, May, 2018.
2012-0158”), https://www.usom.gov.tr/ tehdit/8.html, 21.12.2018
[26] S. Kim, S. Hong, J. Oh, H. Lee, "Obfuscated VBA Macro
[31] A. Şirikçi, N. Cantürk, “Adli Bilişim İncelemelerinde Birebir
Detection Using Machine Learning”, 2018 48th Annual
Kopya Alınmasının (İmaj Almak) Önemi”, Bilişim Teknolojileri
IEEE/IFIP International Conference on Dependable Systems
Dergisi, 5(3), 29-34, 2012.

View publication stats