A sophisticated cyber espionage campaign attributed to APT MuddyWater has emerged targeting Chief Financial Officers and finance executives across Europe, North America, South America, Africa, and Asia.
The threat actors are deploying a multi-stage phishing operation that masquerades as legitimate recruitment communications from Rothschild & Co, leveraging Firebase-hosted phishing pages with custom CAPTCHA challenges to deceive high-value targets.
The campaign demonstrates significant evolution in the group’s tactics, incorporating legitimate remote access tools including NetBird and OpenSSH to establish persistent backdoors within corporate networks.
The attack sequence begins with carefully crafted spear-phishing emails that direct victims to Firebase-hosted domains such as googl-6c11f.firebaseapp.com, where targets encounter seemingly legitimate “human verification” challenges.
Upon completing these fabricated CAPTCHA tests, victims are redirected to secondary phishing sites that deliver malicious ZIP archives disguised as PDF documents.
.webp "APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task 3")
These archives contain VBScript files that initiate a complex multi-stage infection process designed to deploy remote access capabilities while maintaining stealth.
Hunt.io analysts identified critical infrastructure shifts within this campaign, noting the transition from previously documented command-and-control servers at 192.3.95.152 to new infrastructure at 198.46.178.135.
The researchers discovered multiple Firebase projects utilizing identical phishing kits, including cloud-ed980.firebaseapp.com and cloud-233f9.web.app, all employing AES-encrypted redirect mechanisms with hard-coded passphrases to evade detection systems.
The malware’s persistence mechanisms represent a particularly concerning aspect of this campaign.
The initial VBS downloader (F-144822.vbs) retrieves a secondary payload from the attacker-controlled infrastructure, specifically targeting the path /34564/cis.ico, which is renamed to cis.vbs upon execution.
This second-stage script performs several critical functions, including the silent installation of NetBird and OpenSSH MSI packages using the following command structure:-
msiexec /i netbird.msi /quiet
msiexec /i OpenSSH.msi /quietAdvanced Persistence and Remote Access Implementation
The campaign’s most sophisticated element lies in its comprehensive persistence strategy, which combines multiple legitimate tools to establish redundant access channels.
The malware creates a hidden administrative account named “user” with the password “Bs@202122”, effectively providing attackers with privileged system access that persists across system reboots.
This account is strategically hidden from Windows login screens through registry modifications, ensuring it remains undetected during routine system administration activities.
.webp "APT MuddyWater Attacking CFOs Leveraging OpenSSH, Enables RDP, and Scheduled Task 4")
NetBird deployment utilizes a preconfigured setup key (E48E4A70-4CF4-4A77-946B-C8E50A60855A) to establish secure tunnel connections, while simultaneously enabling Remote Desktop Protocol services and configuring firewall exceptions.
The malware ensures service reliability through scheduled task creation, specifically implementing “ForceNetbirdRestart” tasks that automatically restart NetBird services after system startup delays.
Additionally, the campaign removes NetBird desktop shortcuts from all user profiles, effectively concealing the presence of newly installed remote access software from casual observation by system administrators or users.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
