MuddyWater
Associated Group Descriptions |
|
Name | Description |
---|---|
MERCURY | (Citation: Anomali Static Kitten February 2021) |
Static Kitten | (Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
TEMP.Zagros | (Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
Mango Sandstorm | (Citation: Microsoft Threat Actor Naming July 2023) |
TA450 | (Citation: Proofpoint TA450 Phishing March 2024) |
Seedworm | (Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
Earth Vetala | (Citation: Trend Micro Muddy Water March 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
MuddyWater uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018) |
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
MuddyWater has used |
Enterprise | T1583 | .006 | Acquire Infrastructure: Web Services |
MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
MuddyWater has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
MuddyWater has added Registry Run key |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
MuddyWater has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
MuddyWater has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022) |
||
.006 | Command and Scripting Interpreter: Python |
MuddyWater has developed tools in Python including Out1.(Citation: Trend Micro Muddy Water March 2021) |
||
.007 | Command and Scripting Interpreter: JavaScript |
MuddyWater has used JavaScript files to execute its POWERSTATS payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
MuddyWater has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
MuddyWater has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
MuddyWater has specifically targeted government agency employees with spearphishing e-mails.(Citation: Anomali Static Kitten February 2021) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
MuddyWater can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021) |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
.002 | Inter-Process Communication: Dynamic Data Exchange |
MuddyWater has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct 2018) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.(Citation: FireEye MuddyWater Mar 2018)(Citation: Talos MuddyWater May 2019)(Citation: Anomali Static Kitten February 2021) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021) |
.004 | OS Credential Dumping: LSA Secrets |
MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018) |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018) |
||
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWater Nov 2018) |
.004 | Obfuscated Files or Information: Compile After Delivery |
MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky MuddyWater Nov 2018) |
||
.010 | Obfuscated Files or Information: Command Obfuscation |
MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.(Citation: Anomali Static Kitten February 2021)(Citation: group-ib_muddywater_infra) |
Enterprise | T1137 | .001 | Office Application Startup: Office Template Macros |
MuddyWater has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) (Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Proofpoint TA450 Phishing March 2024) |
.002 | Phishing: Spearphishing Link |
MuddyWater has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024) |
||
Enterprise | T1090 | .002 | Proxy: External Proxy |
MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018) MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
MuddyWater has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.(Citation: Securelist MuddyWater Oct 2018) |
Enterprise | T1218 | .003 | System Binary Proxy Execution: CMSTP |
MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.(Citation: FireEye MuddyWater Mar 2018) |
.005 | System Binary Proxy Execution: Mshta |
MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018) |
||
.011 | System Binary Proxy Execution: Rundll32 |
MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.(Citation: Securelist MuddyWater Oct 2018) |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
MuddyWater has run a tool that steals passwords saved in victim email.(Citation: Symantec MuddyWater Dec 2018) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
MuddyWater has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024) |
.002 | User Execution: Malicious File |
MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: Proofpoint TA450 Phishing March 2024) |
||
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
MuddyWater has used web services including OneHub to distribute remote access tools.(Citation: Anomali Static Kitten February 2021) |
References
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
- Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
- Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
- Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
- Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.