Tech,Space,Gaming, and Science Fiction News to wet your whistle
BlackWater Campaign Linked to MuddyWater Cyberspies
A recently discovered campaign shows that the cyber-espionage group MuddyWater has updated tactics, techniques and procedures (TTPs) to evade detection, Talos' security researchers report.
MuddyWaterwas first detailed in 2017 and has beenhighly activethroughout 2018. The cyber-spies have been focused mainly on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and nearby regions (Azerbaijan, Pakistan and Afghanistan).
The recently observed campaign, which Talos callsBlackWater, aims to install a PowerShell-based backdoor onto the victim's machine, for remote access. Analyzed samples show that, while the actor made changes to bypass security controls, the underlying code was unchanged.
Observed modifications include the use of an obfuscated VBA script to establish persistence as a registry key and trigger a PowerShell stager. The stager would connect to the attacker's server to obtain a component of the open-source FruityC2 agent script to further enumerate the host machine.
The gathered data is then sent to a different command and control (C&C) server, in the URL field, in another attempt to make host-based detection more difficult. Moreover, recent samples show that the actor aimed to replace some variable strings, likely in an attempt to avoid signature-based detection.
MuddyWater-associated samples observed in the February - March timeframe revealed that, after achieving persistence, the actor used PowerShell commands for reconnaissance. The samples also contained the IP address of the C&C server.
These components were found in a Trojanized attachment sent to the victim, which allowed security researcher to easily analyze the attacks by obtaining a copy of the document.
Activity observed in April, however, "would require a multi-step investigative approach," Talos noted. A malicious document used last month and believed to be associated with MuddyWater contained a password-protected and obfuscated macro titled "BlackWater.bas".
The macro contains a PowerShell script to persist in the "Run" registry key, and call the file "SysTextEnc.ini" every 300 seconds. The clear text version of the file, the security researchers say, appears to be a lightweight stager.
The stager would connect to a C&C server at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt, Talos says, closely resembles a PowerShell agent previously used by the group. It only shows small changes, likely made to avoid detection.
PowerShell commands derived from FruityC2 were then used to call Windows Management Instrumentation (WMI) and gather system information such as operating system name, OS architecture, operating system's caption, domain and username, and the machine's public IP address.
The only command that did not call WMI would attempt to obtain the security system's MD5 hash, which was likely used to uniquely identify the machine in case multiple workstations were compromised within the same network.
"Despite last month's report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater's history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group," Talos concludes.
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?