Threat Intelligence

4/10/2019
03:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'MuddyWater' APT Spotted Attacking Android

Cyber espionage attack group adds mobile malware to its toolset.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices.

The so-called MuddyWater hacking group, which has been in action since at least 2017, also has created new backdoor malware for spying on its targets, and has been spotted employing false flag tactics to throw off researchers and investigators, according to security researchers at Trend Micro, who here today shared the details of the Iranian hacking team's latest activities.

MuddyWater's attack campaigns to date have been focused on gaining access to telecom providers and government entities, initially via spear phishing emails. But despite all of the intel gathered on the gang's tactics, tools, payloads, and indicators of compromise, Trend Micro researchers Jaromir Horejsi and Daniel Lunghi said MuddyWater's actual endgame remains a mystery to them.

The Android malware is one of their latest attack tools: the researchers found three samples, two of which they believe were test code that dates back to around December 2017. They found clues that the third attack malware program may have been dropped via a compromised Turkish website and targeting victims in Afghanistan. The malware performs classic cyber espionage tasks such as gathering the devices' contacts, call logs, and SMS text messages, and can retrieve the Android's geolocation information.

"It's pretty clear that it's cyber espionage," Horejsi said. The Android malware is likely yet another spying mechanism they can use on their targets, he said.

"They start infecting the machine and maybe if they need some more information and [their victim] is using mobile apps more, they try to make them install it [the Android malware]," he said.

MuddyWater's infrastructure historically has encompassed some 30 IPs for command-and-control, six different domain names, eight different cloud service provider accounts, and 4,100 compromised WordPress servers that they use as proxies in their attacks, according to Trend's findings.

The group has successfully compromised more than 1,600 targets in 55 different organizations, according to Lunghi. "But we don't see everything," he said, so this may just be a snapshot of MuddyWater's scope, he said.

The hacking group recently swapped out its previous command-and-control infrastructure of hacked WordPress websites. That shift may be because they don't totally control the WordPress sites, and out of concern that the sites could leak information on MuddyWater campaigns and victims, according to the researchers.

False Flags & Weak OPSEC

Horejsi and Lunghi found multiple instances of the attackers posing as hackers from other regions. The attackers have written comments and debugging strings in Chinese in their backdoor Trojan code, quotes in Hebrew from famous Israelis, and even posed behind a Russian username in a rigged document's metadata, all in an apparent attempt to appear to be from anywhere but Iran.

They use three main custom backdoors: one that uses a cloud service for stealing, storing, and downloading files; a .NET-based one that runs PowerShell to upload and download files; and a Delphi-based one that captures the victim's system information.

Once the attackers successfully drop their implants, they pivot to known tools such as Meterpreter, Mimikatz, SMBmap, and other IT and security tools to blend into the network.

But MuddyWater has been a bit sloppy, too: it uses weak and breakable cryptography, and poorly configured compromised victim servers that ultimately led Trend's researchers to find more victims of the attacks.

In one case, they found in one of the malicious files a screenshot of one of the attackers' machines that exposed its browser tabs and other information.

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ferdinand14
100%
0%
ferdinand14,
User Rank: Apprentice
4/10/2019 | 10:29:03 AM
I don't see this as an Android Attack
This story talks about a cyber espionage group that compromises web hosting systems for infrastructure and includes an Android app users can install.  I doubt this app is in the Google Play store or in any other reputable app store.  So this doesn't explit any Android vulnerabilities, it simply lures careless users into installing a malicious app.  That's the equivalent of Phishing but describing it as a platform attack seems anti-Android propaganda.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...