Kaspersky Security has come up with a detailed look at the MuddyWater APT which targets governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) along with nearby regions (Azerbaijan, Pakistan and Afghanistan).
Although infections by it have been documented since 2017, what goes on after it infects has not previously been well documented.
It seems that the people behind it use a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.
Kaspersky says the list of tools includes:
- Nihay -- C# Download-and-Execute tool. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “cmd.exe /c”.
- LisfonService -- C# RAT. LisfonService randomly chooses a URL from a huge array of hardcoded Proxy URLs hiding the real C2 server.
- Client.py -- Python RAT. This collects basic information about the victim machine: machine name, OS name, OS version, and user name. It supports multiple commands that allow the RAT to implement basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command execution and displaying an alert message for the victim in a message box.
- Client-win.py -- SSH Python script. This PyInstaller-compiled Python script makes use of the Python paramiko plugin to create an SSH connection to its C2. It then tries a list of hard-coded user names (such as ‘cisco’, ‘root’, ‘admin’) with each of the passwords received on each of the IPs obtained in from the C&C server to authenticate SSH sessions.
- Rc.py/Rc.exe -- Basic Python RAT. This UPX-packed executable is a PyInstaller-compiled Python script (rc.py). The script receives the IP address of its C2 as parameters, connecting to it on the hard-coded port 9095. This is where the grabbing of credentials from Chrome, IE, Mozilla, Opera and Outlook would occur.
- VBScript and VBA files. It uses weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.
- Third-party scripts (like Muddy, Losi Boomber). Losi Boomber can extract credentials and history from browsers and Outlook. Muddy is another Lazagne-based script extracting credentials from mail clients and browsers. Cr.exe is a compiled Python script based on CrackMapExec, which is used for credential gathering and lateral code execution.
- Second stage PowerShell scripts are used to fetch the next stage in an infection or disable all HTTPS SSL certificate checks.
There are deceptive techniques used internally to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). Threatpost is keeping these quirks out of the public eye to aid in law enforcement operations.
One hacker board is peeved at these fellows and is doing the full online rant. They dox the leader as Farzin karimi marzeghan chai and say that the first target of Muddywater was Turkish M.I.T (the Turkish intelligence service ). They also say that, “people who once were at the head of the cyber team (MuddyWater) of the Ministry of Intelligence and are now leaving the MuddyWater with a happy imagination to other companies.”
Whatever the truth, Muddy Water seems to be both competent and dangerous.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.