MuddyWater | |
Other Names | ATK51, Boggy Serpens, COBALT ULSTER, G0069, MERCURY, Mango Sandstorm, Seedworm, Static Kitten, TA450, TEMP.Zagros, SectorD02, ENT-11, Earth Vetala |
Location | Iran |
Date of initial activity | 2017 |
Suspected attribution | State-sponsored threat group |
Government Affiliation | Iran's Ministry of Intelligence and Security (MOIS) |
Associated Groups | APT35, DEV-1084 |
Motivation | MuddyWater campaigns typically fall into one of the following categories: Espionage, Intellectual property theft and Ransomware attacks. |
Associated tools | ConnectWise, CrackMapExec, Empire, Koadic, LaZagne, Mimikatz, Out1, PowGoop, PhonyC2, MuddyC2Go, SimpleHelp,Venom Proxy, Revsocks, AnyDesk, PowerShell, Custom keylogger, Storyblok, Ligolo, Sicehice, SloughRAT, Canopy/Starwhale, Mori, POWERSTATS, Small Sieve, Survey Script, MuddyC3, PowerSploit, RemoteUtilities, SHARPSTATS. |
Active | Yes |
Overview
Common targets
MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.
Attack Vectors
MuddyWater has sent spear-phishing emails, starting back in 2020, with direct links, as well as PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms.
How they operate
MITRE ATT&CK Techniques used by MuddyWater:
- T1548.002 Abuse Elevation Control Mechanism – Bypass User Account Control: MuddyWater uses various techniques to bypass UAC.
- T1087.002 Account Discovery – Domain Account: MuddyWater has used
cmd.exe net user /domainto enumerate domain users. - T1583.006 Acquire Infrastructure – Web Services: MuddyWater has used file sharing services including OneHub to distribute tools.
- T1071.001 Application Layer Protocol – Web Protocols: MuddyWater has used HTTP for C2 communications.
- T1560.001 Archive Collected Data – Archive via Utility: MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
- T1547.001 Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder: MuddyWater has added Registry Run key
KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncodingto establish persistence. - T1059.001 Command and Scripting Interpreter – PowerShell: MuddyWater has used PowerShell for execution.
- T1059.003 Command and Scripting Interpreter – Windows Command Shell: MuddyWater has used a custom tool for creating reverse shells.
- T1059.005 Command and Scripting Interpreter – Visual Basic: MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.
- T1059.006 Command and Scripting Interpreter – Python: MuddyWater has used developed tools in Python including Out1.
- T1059.007 Command and Scripting Interpreter – JavaScript: MuddyWater has used JavaScript files to execute its POWERSTATS payload.
- T1555 Credentials from Password Stores: MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.
- T1132.001 Data Encoding -Standard Encoding:MuddyWater has used tools to encode C2 communications including Base64 encoding.
- T1074.001 Data Staged -Local Data Staging: MuddyWater has stored a decoy PDF file within a victim’s
%temp%folder. - T1140 Deobfuscate/Decode Files or Information: MuddyWater decoded base64-encoded PowerShell commands using a VBS file.
- T1573.001 Encrypted Channel – Symmetric Cryptography: MuddyWater has used AES to encrypt C2 responses.
- T1041 Exfiltration Over C2 Channel: MuddyWater has used C2 infrastructure to receive exfiltrated data.
- T1190 Exploit Public – Facing Application: MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).
- T1203 Exploitation for Client Execution: MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.
- T1210 Exploitation of Remote Services: MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).
- T1083 File and Directory Discovery: MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords “Kasper,” “Panda,” or “ESET.”
- T1589.002 Gather Victim Identity Information -Email Addresses: MuddyWater has specifically targeted government agency employees with spearphishing e-mails.
- T1574.002 Hijack Execution Flow -DLL Side-Loading: MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.
- T1562.001 Impair Defenses -Disable or Modify Tools: MuddyWater can disable the system’s local proxy settings.
- T1105 Ingress Tool Transfer: MuddyWater has used malware that can upload additional files to the victim’s machine.
- T1559.001 Inter-Process Communication – Component Object Model: MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.
- T1559.002 Inter-Process Communication – Dynamic Data Exchange: MuddyWater has used malware that can execute PowerShell scripts via DDE.
- T1036.005 Masquerading – Match Legitimate Name or Location: MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.
- T1104 Multi-Stage Channels: MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.
- T1027.003 Obfuscated Files or Information – Steganography: MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.
- T1027.004 Obfuscated Files or Information – Compile After Delivery: MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.
- T1027.010 Obfuscated Files or Information – Command Obfuscation: MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.
- T1588.002 Obtain Capabilities – Tool: MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment.
- T1137.001 Office Application Startup -Office Template Macros: MuddyWater has used a Word Template, Normal.dotm, for persistence.
- T1003.001 OS Credential Dumping – LSASS Memory: MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.
- T1003.004 OS Credential Dumping – LSA Secrets: MuddyWater has performed credential dumping with LaZagne.
- T1003.005 OS Credential Dumping – Cached Domain Credentials: MuddyWater has performed credential dumping with LaZagne.
- T1566.001 Phishing – Spearphishing Attachment: MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.
- T1566.002 Phishing – Spearphishing Link: MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.
- T1057 Process Discovery: MuddyWater has used malware to obtain a list of running processes on the system.
- T1090.002 Proxy -External Proxy: MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).
- T1219 Remote Access Software: MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.
- T1053.005 Scheduled Task/Job -Scheduled Task: MuddyWater has used scheduled tasks to establish persistence.
- T1113 Screen Capture: MuddyWater has used malware that can capture screenshots of the victim’s machine.
- T1518 Software Discovery: MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.
- T1518.001 Security Software Discovery: MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.
- T1218.003 System Binary Proxy Execution – CMSTP: MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.
- T1218.005 System Binary Proxy Execution – Mshta: MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.
- T1218.011 System Binary Proxy Execution – Rundll32: MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.
- T1082 System Information Discovery: MuddyWater has used malware that can collect the victim’s OS version and machine name.
- T1016 System Network Configuration Discovery: MuddyWater has used malware to collect the victim’s IP address and domain name.
- T1049 System Network Connections Discovery: MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.
- T1033 System Owner/User Discovery: MuddyWater has used malware that can collect the victim’s username.
- T1552.001 Unsecured Credentials -Credentials In Files: MuddyWater has run a tool that steals passwords saved in victim email.
- T1204.001 User Execution – Malicious Link: MuddyWater has distributed URLs in phishing e-mails that link to lure documents.
- T1204.002 User Execution – Malicious File: MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.
- T1102.002 Web Service -Bidirectional Communication: MuddyWater has used web services including OneHub to distribute remote access tools.
- T1047 Windows Management Instrumentation: MuddyWater has used malware that leveraged WMI for execution and querying host information.
Mitigations
Protective Controls and Architecture
- Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code.
Identity and Access Management
- Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information.
Phishing Protection
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing.
- Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.
- Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
- Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
- Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks.
Vulnerability and Configuration Management
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Prioritize patching known exploited vulnerabilities.
Significant Attacks
MuddyWater campaigns typically fall into one of the following categories:
Espionage: Collecting information on adversaries or regional partners that can benefit Iran by helping to advance its political, economic, or national security interests.
Intellectual property theft: Stealing intellectual property and other proprietary information can benefit Iran in a variety of ways, including helping Iranian businesses against their competitors, influencing economic policy decisions at the state level, or informing government-related research and design efforts, among others. These campaigns target private and government entities, such as universities, think tanks, federal agencies, and various industry verticals.
Ransomware attacks: MuddyWater has previously attempted to deploy ransomware, such as Thanos, on victim networks to either destroy evidence of their intrusions or disrupt operations.
Campaigns:
- Espionage attack against Saudi Arabia Government entity (September 2017)
- Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign (March 2018)
- Potential MuddyWater Campaign Seen in the Middle East (March 2018)
- MuddyWater Operations in Lebanon and Oman (November 2018)
- Seedworm Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms (December 2018)
- Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey (April 2019)
- Catching fish in muddy waters (May 2019)
- Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East (March 2021)
- Espionage Campaign Targets Telecoms Organizations across Middle East and Asia (December 2021)
- Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables (January 2021)
- Iranian Cyber Attack Targets Turkey and Arabian Peninsula with New Malware Campaign (March 2022)
- MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (August 2022)
- MuddyWater’s “light” first-stager targeting Middle East (June 2022)
- MERCURY and DEV-1084: Destructive attack on hybrid environment (April 2023)
- Attack Against Jordanian Company (July 2023)
- Attacks Against an Iraqi Telecommunications Provider (September 2023)
- “Swords of Iron” War (October 2023)
- Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa (December 2023)
References:
- MuddyWater
- Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
- MuddyWater expands operations
- The Muddy Waters of APT Attacks
- New MuddyWater Activities Uncovered
- Reviving MuddyC3 Used by MuddyWater (IRAN) APT
- Iranian intel cyber suite of malware uses open source tools
- Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
- Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
- Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
- Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
- SimpleHarm: Tracking MuddyWater’s infrastructure
- PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
- Signs of MuddyWater Developments Found in the DNS
- MuddyWater eN-Able spear-phishing with new TTPs
