Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques


May 20, 2019 - 0 Comments

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

Read More



Tags:
Leave a comment

We'd love to hear from you! Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.