Mori

Mori is a backdoor that has been used by MuddyWater since at least January 2022.^[1]^[2]

ID: S1047

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Ozer Sarilar, @ozersarilar, STM

Version: 1.0

Created: 30 September 2022

Last Modified: 17 October 2022

Techniques Used

Domain	ID		Name	Use
Enterprise	T1112		修改注册表	Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values.^[1]^[2]
Enterprise	T1140		反混淆/解码文件或信息	Mori can resolve networking APIs from strings that are ADD-encrypted.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.^[1]
		.004	应用层协议: DNS	Mori can use DNS tunneling to communicate with C2.^[1]^[2]
Enterprise	T1001	.001	数据混淆: Junk Data	Mori has obfuscated the FML.dll with 200MB of junk data.^[1]
Enterprise	T1132	.001	数据编码: Standard Encoding	Mori can use Base64 encoded JSON libraries used in C2.^[1]
Enterprise	T1012		查询注册表	Mori can read data from the Registry including from `HKLM\Software\NFC\IPA` and`HKLM\Software\NFC\`.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	Mori can delete its DLL file and related files by Registry value.^[1]
Enterprise	T1218	.010	系统二进制代理执行: Regsvr32	Mori can use `regsvr32.exe` for DLL execution.^[1]

Groups That Use This Software

ID	Name	References
G0069	MuddyWater	^[1]

References

FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.

Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.