MuddyWater Targets MENA Governments with Phoenix Backdoor

MITRE Techniques

• [T1193] Spearphishing Attachment – Malicious Word documents with VBA macros were sent via email; “…emails that mimic legitimate correspondence, prompting recipients to enable macros for viewing blurred content.”
• [T1204.002] User Execution: Malicious File – Victims enabled macros which executed VBA dropper code; “…embedded Visual Basic for Applications (VBA) code functions as a dropper, decoding and writing a loader to disk before execution.”
• [T1113] Screen Capture (credential stealer behavior) – A Chromium-based stealer enumerates browser profiles and extracts encrypted keys to steal credentials; “…enumerates browser profiles, extracts encrypted keys from Local State files using OS crypto APIs…decrypts login data.”
• [T1055.001] Process Injection: Dynamic-link Library Injection/Process Injection – FakeUpdate decrypts a payload and injects Phoenix into its own process; “…FakeUpdate injector to decrypt and inject Phoenix backdoor version 4…injecting it into its own process.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Phoenix achieves persistence by modifying Winlogon Shell value in the registry; “…altering the Shell value in the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon.”
• [T1071.001] Application Layer Protocol: Web Protocols – Phoenix communicates with C2 via WinHTTP to poll for commands and perform uploads/downloads; “…connects to the C2 server via WinHTTP for command polling…supporting functions including sleep, file upload and download, shell execution…”
• [T1105] Ingress Tool Transfer – Additional tools (PDQ, Action1 RMM, Chromium_Stealer) were hosted on the same C2 server and retrieved by attackers; “…hosted PDQ RMM tools previously associated with the actor…an open directory on the server exposed additional utilities…”