MuddyWater blending in the crowd

guest · Apr 29, 2019

I know what you did last summer, MuddyWater blending in the crowd
April 29, 2019
https://securelist.com/muddywaters-arsenal/90659/

MuddyWater first surfaced in 2017 and has been active continuously, targeting a large number of organizations. First stage infections and graphical decoys have been described by multiple sources, including in our previous research: “MuddyWater expands operations“

Nevertheless, comprehensive details of what happens after the initial infection by MuddyWater have not previously been made publicly available. MuddyWater attackers deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration.

One of MuddyWater’s preferred infection vectors is the use of weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.
We detected MuddyWater making extensive use of PowerShell scripts for different purposes [...]
Conclusion
The attackers seem to be reasonably well-equipped for their goals, with relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based tools.
Click to expand...

guest · May 20, 2019

MuddyWater Hacking Group Upgrades Arsenal to Avoid Detection
May 20, 2019
https://www.bleepingcomputer.com/ne...ng-group-upgrades-arsenal-to-avoid-detection/

The MuddyWater threat group has been updating its tactics, techniques, and procedures (TTPs) to include a number of new anti-detection techniques designed to provide remote access to compromised systems while evading detection as part of a new campaign dubbed BlackWater.

During the BlackWater campaign, however, they made use of a PowerShell stager script which would download a PowerShell-based Trojan from an actor-controlled C2 server with host enumeration components partly based on the open source FruityC2 post-exploitation framework.
This Trojan payload is the one which starts enumerating and collecting machine information, immediately sending it to a different C2 server as part of the data in the URL field

As the researchers found out, MuddyWater also made some extra efforts to avoid detection after successfully compromising a target by trying to avoid Yara rules and host-based signatures by modifying their tools, replacing variable names while still maintaining their malicious implants overall functionality and structure.
Click to expand...

Cisco Talos: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

guest · Jun 6, 2019

Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
June 6, 2019
https://www.clearskysec.com/muddywater2/

MuddyWater (aka SeedWorm/Temp.Zagros) is a high-profile Advanced Persistent Threat (APT) actor sponsored by Iran. The group was first observed in 2017, and since has operated multiple global espionage campaigns.

The group targets a wide gamut of sectors, including governmental, military, telecommunication, and academia. In the past months, Clearsky had monitored and detected malicious files of each one of these TTPs – decoy Microsoft software with embedded Macros; and documents exploiting vulnerability CVE-2017-0199. This is the first time MuddyWater has used these two vectors in conjunction.

By analyzing the Rana documents, it appears that the MOIS attack teams are divided in to two branches, each with different purposes.
The first is the espionage team that specialize with hacking systems, while the other is the social engineering team that compromises assets via social engineering and spear-phishing methods. Clearsky assessment is that MuddyWater is likely the latter group.
Click to expand...

Full report (PDF - 1.98 MB): https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf

guest · Feb 26, 2020

Iranian APT Targets Govs With New Malware
February 26, 2020
https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/

A never before seen credential-stealing malware, dubbed ForeLord, has been uncovered in recent spear phishing emails. Researchers have attributed the campaign to a known Iranian advanced persistence threat (APT) group.

The emails distributing ForeLord were uncovered as part of a campaign, running between mid-2019 and mid-January 2020. The emails were targeting organizations in Turkey, Jordan, Iraq, as well as global government organizations and unknown entities in Georgia and Azerbaijan, researchers said Wednesday at the RSA Conference, which takes place this week.
Citing victimology and code similarity between the macros in analyzed samples, and macros documented in open-source reporting, researchers have attributed the campaign to the Cobalt Ulster threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten).

“Cobalt Ulster is an active threat group whose operations are continuous. We believe this adversary is still actively working towards achieving their strategic objectives,” Allison Wikoff, senior security researcher at Secureworks told Threatpost.
Click to expand...

As part of the campaign, researchers observed multiple emails using malicious attachments to gain initial access.

“Specifically, this tactic employs a generic ‘Enable Macro’ prompt to view the document contents. If the victim does this, the malicious code is executed. This tactic is not unique to Cobalt Ulster.”
ForeLord is so named because once the malware connects to the command and control (C2) servers, it receives a string of code that says “lordlordlordlord,” indicating that its messages have been received by the C2.

Once downloaded, ForeLord drops several tools used to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network.
Click to expand...

Secureworks: Business as Usual For Iranian Operations Despite Increased Tensions

guest · Dec 28, 2020

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
December 28, 2020
https://www.bleepingcomputer.com/ne...culates-cobalt-strike-payload-from-imgur-pic/

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

Multiple researchers have potentially linked this strain to MuddyWater (aka SeedWorm and TEMP.Zagros), a government-backed advanced persistent threat (APT) group, first observed in 2017 while mainly targeting Middle Eastern entities.
Word macro spins up PowerShell script hosted on GitHub
This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.
Click to expand...

The emergence of this evasive malware strain around the holiday season gains adversaries another advantage: to mask their footsteps when most staff is likely to be away and less vigilant.

While authoritative attribution is challenging given the possibility of copycat attacks, security researcher Florian Roth from Nextron Systems has added the Indicators of Compromise (IOCs) associated with this malware to MuddyWater IOCs list.
The researcher has also provided YARA rules that can be used to detect the variant in your environment.
Click to expand...

guest · Sep 3, 2022

Iran-Based MuddyWater Targets Log4j 2 Vulnerabilities in SysAid Apps in Israel
By Alessandro Mascellino @a_mascellino - August 26, 2022

Iran-based threat actor MuddyWater (tracked by Microsoft as MERCURY) has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel.

The news comes from a new advisory from Microsoft's security researchers, who said on Thursday they could assess with high confidence that MERCURY's observed activity was affiliated with Iran's Ministry of Intelligence and Security (MOIS).

"On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector," Microsoft wrote. "Based on observations from past campaigns and vulnerabilities found in target environments, [we] assess that the exploits used were most likely related to Log4j 2."
Click to expand...

In fact, the novel campaign spotted by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team differs from previous MERCURY ones as it is the first one in which the group exploits SysAid apps as a vector for initial access.

"After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack," reads the advisory.
Microsoft also included a list of common techniques and tooling used by MERCURY, which include spearphishing, alongside programs such as the Venom proxy tool, the Ligolo reverse tunneling technique and home-grown PowerShell programs.
Click to expand...

Microsoft is not the first entity associating MERCURY with Iranian state actors. Earlier this year, both U.K. and U.S. governments issued warnings connecting the group with the state's MOIS.
Click to expand...

Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now.
This blog details Microsoft’s analysis of observed MERCURY activity and related tools used in targeted attacks.
Click to expand...

Log in or Sign up

MuddyWater blending in the crowd

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

MuddyWater blending in the crowd

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches