A new sample associated with MuddyWater, an Advanced Persistent Threat (APT) group that has been known to target organizations in Middle Eastern countries, has been discovered utilizing stenography and a script hosted on GitHub as part of a malware infection chain. According to Bleeping Computer, the attack begins with a malicious Word document with macro code that will pull a PowerShell script hosted on Github and execute to start the next steps to steganography. The PowerShell script downloads a PNG image from the legitimate image hosting site imgur.com. It runs multiple math operations against the pixel values in the PNG image to decode a Cobalt Strike Beacon, a legitimate red team tool that has also been used extensively by threat actors. Once the PNG is decoded, another PowerShell script is run, which will load shellcode into memory and execute the Beacon to allow the attackers remote access to the target machine.
Attacks such as these can seem stealthy at the surface level, but understanding each step of how the malware operates can allow defenders to implement alerts that detect multiple malware families. The first detection is looking for processes making unusual network connections such as Microsoft Word or PowerShell connecting to GitHub. While there are many legitimate uses for PowerShell to make this kind of connection, it should not be so common that investigating such events should be brushed off. Along that same vein, PowerShell should also not be connecting to imgur.com in normal circumstances. It should also be rare for PowerShell to be directly interacting with images and using System.Drawing in the command line. There have been many documented cases where PowerShell is utilized for steganography within the past year, and looking at connections by unusual processes can bring high-value low-volume detections. Further investigation into the shellcode also provides the domain portmap[.]host, which is one of the domains used by a port forwarding service portmap.io. Enterprise security teams should consider alerting or blocking connections to any domain ending in portmap.io or portmap.host, or the IP addresses in Russia where these domains resolve: 220.127.116.11 and 18.104.22.168.