
USCYBERCOM has officially linked to Iran’s Ministry of Intelligence and Security (MOIS). The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that targeted entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
The samples that uploaded include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.
MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools. The attackers attempt to exploit Exchange servers using two different tools.
Indicators of Compromise
PowGoop variants (MD5, SHA1, SHA256)
Goopdate.dll
A5981C4FA0A3D232CE7F7CE1225D9C7E
8FED2FF6B739C13BADB14C1A884D738C80CB6F34 AA48F06EA8BFEBDC0CACE9EA5A2F9CE00C094CE10DF52462C4B9E87FEFE70F94
F8E7FF6895A18CC3D05D024AC7D8BE3E 97248B6E445D38D48334A30A916E7D9DDA33A9B2 F1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3
Vcruntime140.dll
CEC48BCDEDEBC962CE45B63E201C0624
81F46998C92427032378E5DEAD48BDFC9128B225 DD7EE54B12A55BCC67DA4CEAED6E636B7BD30D4DB6F6C594E9510E1E605ADE92
Core.dat
A65696D6B65F7159C9FFCD4119F60195
570F7272412FF8257ED6868D90727A459E3B179E B5B1E26312E0574464DDEF92C51D5F597E07DBA90617C0528EC9F494AF7E8504
Dore.dat
6C084C8F5A61C6BEC5EB5573A2D51FFB
61608ED1DE56D0E4FE6AF07ECBA0BD0A69D825B8
7E7545D14DF7B618B3B1BC24321780C164A0A14D3600DBAC0F91AFBCE1A2F9F4
MITRE ATT&CK
T1190 – Exploit Public-Facing ApplicationT1572 – Protocol TunnelingT1574.001 – Hijack Execution Flow: DLL Search Order HijackingT1059.001 – Command and Scripting Interpreter: PowerShellT1505.003 – Server Software Component: Web ShellT1220 – XSL Script Processing
2 thoughts on “MuddyWater Officially Tied to Iran MOIS 🇮🇷”