August 15, 2022

TheCyberThrone

Thinking Security ! Always

MuddyWater Officially Tied to Iran MOIS ๐Ÿ‡ฎ๐Ÿ‡ท

USCYBERCOM has officially linked to Iranโ€™s Ministry of Intelligence and Security (MOIS). The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign โ€˜MuddyWaterโ€™ due to the confusion in attributing a wave of attacks that targeted entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Advertisements

MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

The samples that uploaded include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.

Advertisements

MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.

The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools. The attackers attempt to exploit Exchange servers using two different tools.

Indicators of Compromise

PowGoop variants (MD5, SHA1, SHA256)

Goopdate.dll

A5981C4FA0A3D232CE7F7CE1225D9C7E
8FED2FF6B739C13BADB14C1A884D738C80CB6F34 AA48F06EA8BFEBDC0CACE9EA5A2F9CE00C094CE10DF52462C4B9E87FEFE70F94

F8E7FF6895A18CC3D05D024AC7D8BE3E 97248B6E445D38D48334A30A916E7D9DDA33A9B2 F1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3

Vcruntime140.dll

CEC48BCDEDEBC962CE45B63E201C0624
81F46998C92427032378E5DEAD48BDFC9128B225 DD7EE54B12A55BCC67DA4CEAED6E636B7BD30D4DB6F6C594E9510E1E605ADE92

Core.dat

A65696D6B65F7159C9FFCD4119F60195
570F7272412FF8257ED6868D90727A459E3B179E B5B1E26312E0574464DDEF92C51D5F597E07DBA90617C0528EC9F494AF7E8504

Dore.dat

6C084C8F5A61C6BEC5EB5573A2D51FFB
61608ED1DE56D0E4FE6AF07ECBA0BD0A69D825B8
7E7545D14DF7B618B3B1BC24321780C164A0A14D3600DBAC0F91AFBCE1A2F9F4

Advertisements

MITRE ATT&CK

T1190 โ€“ Exploit Public-Facing ApplicationT1572 โ€“ Protocol TunnelingT1574.001 โ€“ Hijack Execution Flow: DLL Search Order HijackingT1059.001 โ€“ Command and Scripting Interpreter: PowerShellT1505.003 โ€“ Server Software Component: Web ShellT1220 โ€“ XSL Script Processing

%d bloggers like this: