Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/10/2019
03:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'MuddyWater' APT Spotted Attacking Android

Cyber espionage attack group adds mobile malware to its toolset.

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices.

The so-called MuddyWater hacking group, which has been in action since at least 2017, also has created new backdoor malware for spying on its targets, and has been spotted employing false flag tactics to throw off researchers and investigators, according to security researchers at Trend Micro, who here today shared the details of the Iranian hacking team's latest activities.

MuddyWater's attack campaigns to date have been focused on gaining access to telecom providers and government entities, initially via spear phishing emails. But despite all of the intel gathered on the gang's tactics, tools, payloads, and indicators of compromise, Trend Micro researchers Jaromir Horejsi and Daniel Lunghi said MuddyWater's actual endgame remains a mystery to them.

The Android malware is one of their latest attack tools: the researchers found three samples, two of which they believe were test code that dates back to around December 2017. They found clues that the third attack malware program may have been dropped via a compromised Turkish website and targeting victims in Afghanistan. The malware performs classic cyber espionage tasks such as gathering the devices' contacts, call logs, and SMS text messages, and can retrieve the Android's geolocation information.

"It's pretty clear that it's cyber espionage," Horejsi said. The Android malware is likely yet another spying mechanism they can use on their targets, he said.

"They start infecting the machine and maybe if they need some more information and [their victim] is using mobile apps more, they try to make them install it [the Android malware]," he said.

MuddyWater's infrastructure historically has encompassed some 30 IPs for command-and-control, six different domain names, eight different cloud service provider accounts, and 4,100 compromised WordPress servers that they use as proxies in their attacks, according to Trend's findings.

The group has successfully compromised more than 1,600 targets in 55 different organizations, according to Lunghi. "But we don't see everything," he said, so this may just be a snapshot of MuddyWater's scope, he said.

The hacking group recently swapped out its previous command-and-control infrastructure of hacked WordPress websites. That shift may be because they don't totally control the WordPress sites, and out of concern that the sites could leak information on MuddyWater campaigns and victims, according to the researchers.

False Flags & Weak OPSEC

Horejsi and Lunghi found multiple instances of the attackers posing as hackers from other regions. The attackers have written comments and debugging strings in Chinese in their backdoor Trojan code, quotes in Hebrew from famous Israelis, and even posed behind a Russian username in a rigged document's metadata, all in an apparent attempt to appear to be from anywhere but Iran.

They use three main custom backdoors: one that uses a cloud service for stealing, storing, and downloading files; a .NET-based one that runs PowerShell to upload and download files; and a Delphi-based one that captures the victim's system information.

Once the attackers successfully drop their implants, they pivot to known tools such as Meterpreter, Mimikatz, SMBmap, and other IT and security tools to blend into the network.

But MuddyWater has been a bit sloppy, too: it uses weak and breakable cryptography, and poorly configured compromised victim servers that ultimately led Trend's researchers to find more victims of the attacks.

In one case, they found in one of the malicious files a screenshot of one of the attackers' machines that exposed its browser tabs and other information.

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ferdinand14
100%
0%
ferdinand14,
User Rank: Apprentice
4/10/2019 | 10:29:03 AM
I don't see this as an Android Attack
This story talks about a cyber espionage group that compromises web hosting systems for infrastructure and includes an Android app users can install.  I doubt this app is in the Google Play store or in any other reputable app store.  So this doesn't explit any Android vulnerabilities, it simply lures careless users into installing a malicious app.  That's the equivalent of Phishing but describing it as a platform attack seems anti-Android propaganda.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.