UDPGangster is a UDP-based backdoor attributed to the MuddyWater group that is distributed via macro-enabled Microsoft Word documents to gain initial access and establish C2 over UDP. The malware uses extensive anti-analysis checks, persistence via registry startup, and capabilities for remote command execution and file exfiltration to target users in Turkey, Israel, and Azerbaijan. #UDPGangster #MuddyWater
Keypoints
- UDPGangster is delivered via malicious Word documents with embedded VBA macros that prompt users to âEnable Contentâ to execute the payload.
- The backdoor communicates with its C2 over UDP (observed C2: 157.20.182.75:1269) and supports remote command execution, file extraction, and payload deployment.
- Samples include robust anti-analysis and sandbox/VM detection routines (debugger checks, CPU/RAM checks, virtual NIC MAC prefixes, WMI and registry scans, and sandbox DLL/process checks).
- Persistence is achieved by copying the binary to %AppData%RoamingLow as SystemProc.exe and writing a Startup value under HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell.
- Telemetry links campaigns to recipients in Turkey, Israel, and Azerbaijan and shows shared infrastructure and PDB paths tying activity to MuddyWater.
- Decoy content in documents (images and text) is used to distract victims while macros decode and drop the UDPGangster payload.
- Fortinet products detect and block the threat and offer remediation and user-training recommendations to mitigate similar phishing-based intrusions.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment â The campaign delivers malicious Word documents as attachments. [âincludes two attachments named seminer.doc and seminer.zip.â]
- [T1204.002 ] User Execution: Malicious File (Office Macros) â VBA macros run on Document_Open() to decode and drop payloads when users enable content. [âEnable Contentâ / âThe macro uses the Document_Open() event to automatically executeâ]
- [T1105 ] Ingress Tool Transfer â The macro drops and executes a payload that copies itself to AppData and can deploy additional payloads. [âcopying itself to %AppData%RoamingLow as SystemProc.exeâ / âTriggers the execution of additional payloadsâ]
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys and Startup Folder â Malware writes a Startup value under a HKCU registry key to establish persistence. [âwriting the path to the Startup value under the registry key:HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell.â]
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell â The backdoor can launch remote commands via cmd.exe. [âLaunches remote command execution via cmd.exeâ]
- [T1041 ] Exfiltration Over C2 Channel â UDPGangster can extract files from victims and send collected data to a remote C2 over UDP. [âExtracts files from the victimâ / âsends the data to its C2 server at 157.20.182.75 over UDP port 1269.â]
- [T1071 ] Application Layer Protocol â C2 over UDP â The malware communicates with its command-and-control server using UDP to evade typical defenses. [âcommunicates with its C2 server using the UDP protocol.â]
- [T1082 ] System Information Discovery â The malware collects host details (computer name, domain/workgroup, OS version, username) for profiling. [âcollects system details (computer name, domain/workgroup, OS version, and username)â]
- [T1027 ] Obfuscated Files or Information â The dropper decodes Base64-encoded content and the malware encodes data using an ROR-based transformation before exfiltration. [âdecoding Base64-encoded data from a hidden form fieldâ / âencodes them using an ROR-based transformationâ]
- [T1497 ] Virtualization/Sandbox Evasion â The sample performs many sandbox/VM and debugger checks (CPU cores, RAM size, virtual NIC MAC prefixes, WMI/registry/driver/service/process checks, sandbox DLLs). [âperforms several checks to evade analysis: 1. Debugger detection⌠2. CPU environment⌠4. Virtual adapter MAC prefixes⌠8. Sandbox detectionâ]
Indicators of Compromise
- [IP Address ] C2 and infrastructure â 157.20.182.75 (C2 server observed communicating over UDP port 1269)
- [Domain / URL ] Malicious hosting and lure document â reminders[.]trahum[.]org, hxxps://reminders[.]trahum[.]org/Scheduled_Internet_Outages.doc
- [File Name ] Dropper and installed binary â Scheduled_Internet_Outages.doc (decoy), seminer.doc (phishing attachment), SystemProc.exe (installed persistence filename)
- [Mutex ] Runtime artifact â xhxhxhxhxhxpp (mutex created by UDPGangster)
- [PDB Path ] Build artifacts linking samples â C:Usersgangstersourcereposudp_3.0âŚudp_3.0.pdb; C:UsersSURGEsourcereposudp_3.0âŚudp_3.0.pdb
- [File Hash ] Malicious document hash â 7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53 (document sample)
- [Email ] Phishing message content/signature blob â d177cf65a17bffcd152c5397600950fc0f81f0099⌠(long hex-encoded message/blob observed in reporting)