Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/10/2019
03:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'MuddyWater' APT Spotted Attacking Android

Cyber espionage attack group adds mobile malware to its toolset.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices.

The so-called MuddyWater hacking group, which has been in action since at least 2017, also has created new backdoor malware for spying on its targets, and has been spotted employing false flag tactics to throw off researchers and investigators, according to security researchers at Trend Micro, who here today shared the details of the Iranian hacking team's latest activities.

MuddyWater's attack campaigns to date have been focused on gaining access to telecom providers and government entities, initially via spear phishing emails. But despite all of the intel gathered on the gang's tactics, tools, payloads, and indicators of compromise, Trend Micro researchers Jaromir Horejsi and Daniel Lunghi said MuddyWater's actual endgame remains a mystery to them.

The Android malware is one of their latest attack tools: the researchers found three samples, two of which they believe were test code that dates back to around December 2017. They found clues that the third attack malware program may have been dropped via a compromised Turkish website and targeting victims in Afghanistan. The malware performs classic cyber espionage tasks such as gathering the devices' contacts, call logs, and SMS text messages, and can retrieve the Android's geolocation information.

"It's pretty clear that it's cyber espionage," Horejsi said. The Android malware is likely yet another spying mechanism they can use on their targets, he said.

"They start infecting the machine and maybe if they need some more information and [their victim] is using mobile apps more, they try to make them install it [the Android malware]," he said.

MuddyWater's infrastructure historically has encompassed some 30 IPs for command-and-control, six different domain names, eight different cloud service provider accounts, and 4,100 compromised WordPress servers that they use as proxies in their attacks, according to Trend's findings.

The group has successfully compromised more than 1,600 targets in 55 different organizations, according to Lunghi. "But we don't see everything," he said, so this may just be a snapshot of MuddyWater's scope, he said.

The hacking group recently swapped out its previous command-and-control infrastructure of hacked WordPress websites. That shift may be because they don't totally control the WordPress sites, and out of concern that the sites could leak information on MuddyWater campaigns and victims, according to the researchers.

False Flags & Weak OPSEC

Horejsi and Lunghi found multiple instances of the attackers posing as hackers from other regions. The attackers have written comments and debugging strings in Chinese in their backdoor Trojan code, quotes in Hebrew from famous Israelis, and even posed behind a Russian username in a rigged document's metadata, all in an apparent attempt to appear to be from anywhere but Iran.

They use three main custom backdoors: one that uses a cloud service for stealing, storing, and downloading files; a .NET-based one that runs PowerShell to upload and download files; and a Delphi-based one that captures the victim's system information.

Once the attackers successfully drop their implants, they pivot to known tools such as Meterpreter, Mimikatz, SMBmap, and other IT and security tools to blend into the network.

But MuddyWater has been a bit sloppy, too: it uses weak and breakable cryptography, and poorly configured compromised victim servers that ultimately led Trend's researchers to find more victims of the attacks.

In one case, they found in one of the malicious files a screenshot of one of the attackers' machines that exposed its browser tabs and other information.

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ferdinand14
100%
0%
ferdinand14,
User Rank: Apprentice
4/10/2019 | 10:29:03 AM
I don't see this as an Android Attack
This story talks about a cyber espionage group that compromises web hosting systems for infrastructure and includes an Android app users can install.  I doubt this app is in the Google Play store or in any other reputable app store.  So this doesn't explit any Android vulnerabilities, it simply lures careless users into installing a malicious app.  That's the equivalent of Phishing but describing it as a platform attack seems anti-Android propaganda.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12253
PUBLISHED: 2019-05-21
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.
CVE-2019-12250
PUBLISHED: 2019-05-21
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log.
CVE-2019-12251
PUBLISHED: 2019-05-21
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
CVE-2019-10319
PUBLISHED: 2019-05-21
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
CVE-2019-10320
PUBLISHED: 2019-05-21
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.