TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

United States Cyber Command (USCYBERCOM) issued an alert today (January 13, 2022),  reporting malicious cyber operations by Iranian MOIS (Ministry of Intelligence and Security) sponsored MuddyWater APT (advanced persistent threat) group.

MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.

In this attack campaign, the MuddyWater cyber-espionage group mainly uses the PowGoop DLL Loader and Mori Backdoor. The next session explains how the threat actor leverages them in target networks.

Attack Chain of the PowGoop DLL Loader

1. The legitimate GoogleUpdate.exe loads the legitimate goopdate86.dll binary into memory.

2. goopdate86.dll loads the malicious goopdate.dll (the first loader of PowGoop) into memory using the DLL side-loading technique. MuddyWater also uses libpcre2-8-0.dll and vcruntime140.dll names for this first loader.

3. Loaded goopdate.dll executes rundll32.exe with the DllRegisterServer parameter.

4. The malicious goopdate.dll's export DllRegisterServer is executed, which loads the second loader goopdate.dat into memory. goopdate.dat is an obfuscated PowerShell script.

5. goopdate.dll de-obfuscates and executes goopdate.dat. Then, goopdate.dat de-obfuscates and runs config.txt, which is actually another obfuscated PowerShell script.

6. The encoded config.txt PowerShell script then establishes a connection to the PowGoop Command and Control (C2) server using a modified base64 encoding mechanism. It works as a downloader, waiting for additional payloads. Often, the IP address of the C2 server is hardcoded in config.txt. By utilizing the Google Update service, goopdate.dll conceals communications with C2 servers.

Test your security controls now: Simulate MuddyWater attacks with Picus

TTPs Used by the MuddyWater APT Group in the New Attack Campaign

The MuddyWater hacking group uses the following tactics, techniques, and procedures (TTPs) in its new attack campaign:

Tactic: Execution

MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell

The MuddyWater APT group uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads.

Tactic: Defense Evasion

MITRE ATT&CK T1027 Obfuscated Files or Information

MuddyWater leverages obfuscated PowerShell scripts to evade defenses.

MITRE ATT&CK T1036 Masquerading

The PowGoop DLL Loader used by the MuddyWater cyber espionage group impersonates the legitimate goopdate86.dll file used by the Google Update mechanism.

MITRE ATT&CK T1574.002 Hijack Execution Flow: DLL Side-Loading

The MuddyWater threat group utilizes DLL side-loading to trick legitimate programs (GoogleUpdate.exe and goopdate86.dll) into running its malicious DLL payloads (goopdate.dll). 

Tactic: Command and Control

MITRE ATT&CK T1132 Data Encoding: Non-Standard Encoding 

The MuddyWater threat group's  PowGoop malware communicates with the C2 server using a modified base64 encoding technique.

MITRE ATT&CK T1572 Protocol Tunneling

The Mori Backdoor utilized by MuddyWater threat actors uses DNS tunneling to communicate with its C2 infrastructure.

MuddyWater APT Group Attacks in Picus Threat Library

Picus Threat Library consists of 71 threats of the MuddyWater threat group, including the following malware: 

  • Covicli Backdoor
  • Delphstats Backdoor
  • Empire Post-Exploitation Framework
  • Koadic RAT (Remote Access Trojan)
  • LaZagne Credential Dumper
  • Mimikatz Credential Dumper
  • PassDump Infostealer 
  • POWERSTATS (PowerMud) Backdoor
  • PowGoop Loader
  • Sharpstats Backdoor
  • SSF.MX Backdoor

Test your security controls now: Simulate MuddyWater attacks with Picus

Indicators of Compromises

SHA-256 Hashes

  • goopdate.dll - First loader of PowGoop
    12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa
  • vcruntime140.dll - First loader of PowGoop
    dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92
  • libpcre2-8-0.dll - First loader of PowGoop
    9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051
  • goopdate.dat - Second loader of PowGoop
    2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82
    7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4
    b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504
    e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13
  • config.txt - Encoded PowerShell downloader
    255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a
    5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f
    9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
    9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2
    b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a
    ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9
    e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca
  • JavaScript files - Issues  GET requests to C2 servers
    b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
    42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986
  • Other Files
    3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8