Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Larry Loeb
Larry Loeb
Larry Loeb

MuddyWater: The Dissection of an APT

Kaspersky Security has taken a deep dive into MuddyWater.

Kaspersky Security has come up witha detailed look at the MuddyWater APT which targets governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) along with nearby regions (Azerbaijan, Pakistan and Afghanistan).

Although infections by it have been documented since 2017, what goes on after it infects has not previously been well documented. It seems that the people behind it use a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.

Kaspersky says the list of tools includes:

  • Nihay -- C# Download-and-Execute tool. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “command.exe /c”.
  • LisfonService -- C# RAT. LisfonService randomly chooses a URL from a huge array of hardcoded Proxy URLs hiding the real C2 server.
  • Client.py -- Python RAT. This collects basic information about the victim machine: machine name, OS name, OS version, and user name. It supports multiple commands that allow the RAT to implement basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command execution and displaying an alert message for the victim in a message box.
  • Client-win.py -- SSH Python script. This PyInstaller-compiled Python script makes use of the Python paramiko plugin to create an SSH connection to its C2. It then tries a list of hard-coded user names (such as ‘cisco’, ‘root’, ‘admin’) with each of the passwords received on each of the IPs obtained in from the C&C server to authenticate SSH sessions.
  • Rc.py/Rc.exe -- Basic Python RAT. This UPX-packed executable is a PyInstaller-compiled Python script (rc.py). The script receives the IP address of its C2 as parameters, connecting to it on the hard-coded port 9095. This is where the grabbing of credentials from Chrome, IE, Mozilla, Opera and Outlook would occur.
  • VBScript and VBA files. It uses weaponized macro-enabled Office 97-2003 Word documents. Its malicious VBA code includes a Base64-encoded payload.
  • Third-party scripts (like Muddy, Losi Boomber). Losi Boomber can extract credentials and history from browsers and Outlook. Muddy is another Lazagne-based script extracting credentials from mail clients and browsers. Cr.exe is a compiled Python script based on CrackMapExec, which is used for credential gathering and lateral code execution.
  • Second stage PowerShell scripts are used to fetch the next stage in an infection or disable all HTTPS SSL certificate checks.

There are deceptive techniques used internally to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). Threatpost is keeping these quirks out of the public eye to aid in law enforcement operations.

One hacker board is peeved at these fellows and is doing the full online rant. They dox the leader as Farzin karimi marzeghan chai and say that the first target of Muddywater was Turkish M.I.T (the Turkish intelligence service ). They also say that, “people who once were at the head of the cyber team (MuddyWater) of the Ministry of Intelligence and are now leaving the MuddyWater with a happy imagination to other companies.” Whatever the truth, Muddy Water seems to be both competent and dangerous.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.