MuddyWater: The Dissection of an APT

Kaspersky Security has taken a deep dive into MuddyWater.

Larry Loeb, Blogger, Informationweek

May 2, 2019

3 Min Read

Kaspersky Security has come up witha detailed look at the MuddyWater APT which targets governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) along with nearby regions (Azerbaijan, Pakistan and Afghanistan).

Although infections by it have been documented since 2017, what goes on after it infects has not previously been well documented. It seems that the people behind it use a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.

Kaspersky says the list of tools includes:

  • Nihay -- C# Download-and-Execute tool. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “command.exe /c”.

  • LisfonService -- C# RAT. LisfonService randomly chooses a URL from a huge array of hardcoded Proxy URLs hiding the real C2 server.

  • Client.py -- Python RAT. This collects basic information about the victim machine: machine name, OS name, OS version, and user name. It supports multiple commands that allow the RAT to implement basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command execution and displaying an alert message for the victim in a message box.

  • Client-win.py -- SSH Python script. This PyInstaller-compiled Python script makes use of the Python paramiko plugin to create an SSH connection to its C2. It then tries a list of hard-coded user names (such as ‘cisco’, ‘root’, ‘admin’) with each of the passwords received on each of the IPs obtained in from the C&C server to authenticate SSH sessions.

  • Rc.py/Rc.exe -- Basic Python RAT. This UPX-packed executable is a PyInstaller-compiled Python script (rc.py). The script receives the IP address of its C2 as parameters, connecting to it on the hard-coded port 9095. This is where the grabbing of credentials from Chrome, IE, Mozilla, Opera and Outlook would occur.

  • VBScript and VBA files. It uses weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.

  • Third-party scripts (like Muddy, Losi Boomber). Losi Boomber can extract credentials and history from browsers and Outlook. Muddy is another Lazagne-based script extracting credentials from mail clients and browsers. Cr.exe is a compiled Python script based on CrackMapExec, which is used for credential gathering and lateral code execution.

  • Second stage PowerShell scripts are used to fetch the next stage in an infection or disable all HTTPS SSL certificate checks.

There are deceptive techniques used internally to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). Threatpost is keeping these quirks out of the public eye to aid in law enforcement operations.

One hacker board is peeved at these fellows and is doing the full online rant. They dox the leader as Farzin karimi marzeghan chai and say that the first target of Muddywater was Turkish M.I.T (the Turkish intelligence service ). They also say that, “people who once were at the head of the cyber team (MuddyWater) of the Ministry of Intelligence and are now leaving the MuddyWater with a happy imagination to other companies.” Whatever the truth, Muddy Water seems to be both competent and dangerous.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

See more from Larry Loeb
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Empty hospital hallway
Cyberattacks & Data Breaches
Ascension Healthcare Suffers Major CyberattackAscension Healthcare Suffers Major Cyberattack
byNathan Eddy, Contributing Writer
May 10, 2024
3 Min Read
Black noodles with tomatoes on top
Cyberattacks & Data Breaches
500 Victims In, Black Basta Reinvents With Novel Vishing Strategy500 Victims In, Black Basta Reinvents With Novel Vishing Strategy
byNate Nelson, Contributing Writer
May 13, 2024
4 Min Read
Wireless Internet symbol on a cellphone being held in a hand
Endpoint Security
Flaw in Wi-Fi Standard Can Enable SSID Confusion AttacksFlaw in Wi-Fi Standard Can Enable SSID Confusion Attacks
byJai Vijayan, Contributing Writer
May 15, 2024
4 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events