Under Attack? Contact Us Start a Free Demo

MuddyWater APT Analysis

Introduction:

MuddyWater APT group has been active since 2017, focusing primarily on victims in the Middle East countries using in-memory vectors leveraging PowerShell. This family leverage "living off the land" attack technique as it does not require creating new binaries on the victim's computer, maintaining a low detection profile, and minimal forensic footprint. MuddyWater group has targeted countries throughout the Middle East countries, Europe, and United States. MuddyWater APT was a primary reason for an increase in spear-phishing attacks, targeting government agencies, military entities, telecom companies, and educational institutions in Jordan, Azerbaijan, Pakistan, Iraq, and Saudi Arabia. Other such attacks were also uncovered in countries like Mali, Austria, Russia, Iran, and Bahrain. Recently, Check Point researchers have noticed a new campaign targeting Belarus, Turkey, and Ukraine. MuddyWater is known for its cyberespionage and other criminal activities in collaboration with Iran's Intelligence and Security Ministry. The Ministry of Intelligence and Security from Iran divided the MuddyWater group into two teams:

  • The first team specialized in hacking the target systems.
  • Another team will perform social engineering operations using spear-phishing methods

MuddyWater Global Attacks:

Source: Securelist

Jordan

Turkey

Saudi Arabia

Document signed by the Major General Pilot, commander of the Saudi Royal Air Force

Azerbaijan

İnkişaf üçün görüş.doc (meeting for development)

Iraq

Pakistan

Afghanistan

Unique victims per country before the publication of advisories. Source: Reaqta
Operator’s activities per country. Source: Reaqta

Technical Analysis:

Document Analysis

NetSecurity has captured a decoy document that has a suspicious VBA macro.

Details of the suspicious doc file:

SHA256

4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c

Malicious decoy doc file
Metadata of the captured doc file

Threat Intelligence

Upon analyzing the SHA256 in VirusTotal, we found that the suspicious file is indeed malicious.

VirusTotal Analysis

Initial Access

Phishing and spear-phishing are the most common tactics used by the threat actors to spread the documents and trap the victims. Similar documents were identified that have some common characteristics like the attempt to impersonate National entities through our research:

  • Iraqi National Intelligence Service
  • National Security Agency
  • Ministry of Interior of Saudi Arabia
  • Federal Investigation Agency Ministry of Interior Pakistan

The document has the following common metadata fields that match with the metadata of other identified malicious documents:

  • LastModifiedBy: GIGABYTE
  • AppVersion: 15.0
  • Software: Microsoft Office Word

Obfuscation

Upon analyzing the malicious document using the ThreatResponder FORENSICS tool, we captured the randomly encrypted strings, indicating the obfuscation performed by the attackers to hide the actual code.

Obfuscated strings to hide the identity
Obfuscated strings to hide the identity
Obfuscated strings to hide the identity

Upon deeper assessment, we can establish that it is a Base64 encoding. After decoding the Base64 encoded VBA macro, it is identified that the VBS content mentioned below is to run system.ps1 PowerShell script.

Set objShell = WScript.CreateObject("WScript.Shell")
command = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -file C:\Users\Public\Documents\system.ps1"
objShell.Run command,0
Set objShell = Nothing

Execution

As rightly assessed from the deobfuscated string, the macro is designed to execute the following operations:

  1. Decode and drop a PowerShell script into C:\Users\Public\Documents\system.ps1
  2. Decode and drop a VBS script into C:\Users\Public\Documents\system.VBS
  3. Executes the VBS with Shell.Open Method

Using NetSecurity Forensics, we were able to find evidence that the initial backdoor is deployed using a decoy document containing a macro and establish that the document leverages the Macro VBS mechanism to execute code and deploy the next attack stages.

VBA execution evidence

In addition, we were also able to identify the execution of commands like whoami.exe and access explorer.exe through the WScript commands.

Persistence

The function persistence lowers the security settings of Microsoft Excel and Word, creates a survival on reboot mechanism, and hides the VBS and PS1 by setting the file attributes System and Hidden via the Windows utility attrib.exe.

  • Persistence is obtained by adding an entry into (HKCU and HKLM) CurrentVersion\Run.
  • The final artifact will have a value named Windows Optimizations which resolves to Wscript C:\Users\Public\Documents\System.Vbs.
  • A second persistence is obtained by adding a Scheduled Task entry called Microsoft\WindowsOptimizationsService, which executes: Wscr ipt C:\Users\Public\Documents\System.Vbs.

Exfiltration

Upon analyzing the malicious doc file using ThreatResponder FORENSICS, we were able to identify that the malicious file has strings with a URL pattern that seems to be a c2 connection to a potentially malicious domain.

URL pattern to the malicious domain

MuddyWater APT IOCs

File Hashes

  • 8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001
  • 42aa5a474abc9efd3289833eab9e72a560fee48765b94b605fac469739a515c1
  • d3ecc4137fc9a6d7418b4780864baf64cf7417d7badf463dff6ea48cd455915b
  • 9991b185c9e9732501e0c2bd841e32a4022f0735a0527150bc8e64ac363d409d
  • d9de66497ad189d785d7535ab263e92ffad81df20b903c5e1d36859b4ed38b6d
  • 5cdc7dd6162a8c791d50f5b2c5136d7ba3bf417104e6096bd4a2b76ea499a2f4
  • 26ed7e89b3c5058836252e0a8ed9ec6b58f5f82a2e543bc6a97b3fd17ae3e4ec
  • a8701fd6a5eb45e044f8bf150793f4189473dde46e0af8314652f6bf670c0a34
  • b726f4dd745891070f2e516d5d4e4f2f1ce0bf3ff685dc3800455383f342e54d
  • c9931382f844b61a002f83db1ae475953bbab449529be737df1eee8b3065f6eb
  • fcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0
  • c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a
  • 450302fb71d8e0e30c80f19cfe7fb7801b223754698cac0997eb3a3c8e440a48
  • b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
  • 921b4520b75fcd0071944a483d738223b222ba101e70f2950fbfbc22afbdb5d0
  • d7de68febbbdb72ff820f6554afb464b5c204c434faa6ffe9b4daf6b691d535f
  • 8b9be9e4d18c5fc71cd12dbfd60ea41eb88a07497e96faa2ba20fdc929b32c0b
  • 7dc49601fa6485c3a2cb1d519794bee004fb7fc0f3b37394a1aef6fceefec0c8
  • a69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c
  • 63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e104cf
  • 6910ddb58aee9a77e7bb9cadef9e6280a9b5b495edf0b6538cf8bdc1db8b1f4c
  • d851badfcf3b3a8b4210bdb33948d0d1d918ec6bf0f1f85cbae6bb8feec7cd74
  • aa72f1543d4a4e6ecbfc2da0167f5601c5c692bed73243cf01f616bc4af68afe
  • 8f255a1f2e17828a5b9205d6991e2c85c3320311da28048785262396cbc568c7
  • cddd5514b7ed3d33ff8eaa16b7b71621ced857755246683e0d28c4650ea744bf
  • b4d0161ecab5a7847d325c88ce1a4fc2ca2e11fad0b77638b63ae1781c8b5793
  • f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285
  • 28f2198f811bbd09be31ad51bac49ba0be5e46ebf5c617c49305bb7e274b198c
  • 04d6ed9c6d4a37401ad3c586374f169b0aa8d609710bdcf5434d39e0fd4ed9bd
  • 69e3a454c191ee38663112cf5358a54cca1229188087ed18e92bc9c59b014912
  • dc28b5e878152b5305b8d251019895caa56a7a95a68eccb89a6ecc41da8aadb9

IPs

  • 74.131[.]16
  • 118.167[.]12
  • 18.164[.]165
  • 118.164[.]195
  • 118.164[.]213
  • 202.242[.]84
  • 199.133[.]149
  • 119.170[.]124
  • 118.164[.]165
  • 236.212[.]22
  • 245.81[.]135
  • 141.27[.]211
  • hxxp://185.118.167[.]120/
  • hxxp://137.74.131[.]16:443/
  • hxxp://185.141.27[.]211:443/
  • hxxp://149.202.242[.]84:443/
  • hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/ef4f0d9af47d737076923cfccfe01ba7/layer.jpg
  • hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg
  • hxxps://snapfile[.]org/d/c7817a35554e88572b7b
  • hxxps://snapfile[.]org/d/0c88a47c3160338bbb68
  • hxxp://snapfile[.]org/756a12c43a0fb8d56fbf
  • hxxps://snapfile[.]org/5bc3985cf17565a97dbd
  • hxxps://snapfile[.]org/55e1c83e920bb7dc949c
  • hxxp://canarytokens[.]com/about/d3g23n4gdcrep20q3wzm153xn/index.html
  • hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/
  • hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp

How to Detect MuddyWater APT?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
I am an experienced and CEH certified cybersecurity professional with expertise in incident response, forensic investigations, cyber threat intelligence, vulnerability mgmt. and cyber threat research.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.