Keep up to date with latest blog posts
United States Cyber Command (USCYBERCOM) issued an alert today (January 13, 2022), reporting malicious cyber operations by Iranian MOIS (Ministry of Intelligence and Security) sponsored MuddyWater APT (advanced persistent threat) group.
MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.
In this attack campaign, the MuddyWater cyber-espionage group mainly uses the PowGoop DLL Loader and Mori Backdoor. The next session explains how the threat actor leverages them in target networks.
Attack Chain of the PowGoop DLL Loader
1. The legitimate GoogleUpdate.exe loads the legitimate goopdate86.dll binary into memory.
2. goopdate86.dll loads the malicious goopdate.dll (the first loader of PowGoop) into memory using the DLL side-loading technique. MuddyWater also uses libpcre2-8-0.dll and vcruntime140.dll names for this first loader.
3. Loaded goopdate.dll executes rundll32.exe with the DllRegisterServer parameter.
4. The malicious goopdate.dll's export DllRegisterServer is executed, which loads the second loader goopdate.dat into memory. goopdate.dat is an obfuscated PowerShell script.
5. goopdate.dll de-obfuscates and executes goopdate.dat. Then, goopdate.dat de-obfuscates and runs config.txt, which is actually another obfuscated PowerShell script.
6. The encoded config.txt PowerShell script then establishes a connection to the PowGoop Command and Control (C2) server using a modified base64 encoding mechanism. It works as a downloader, waiting for additional payloads. Often, the IP address of the C2 server is hardcoded in config.txt. By utilizing the Google Update service, goopdate.dll conceals communications with C2 servers.
TTPs Used by the MuddyWater APT Group in the New Attack Campaign
The MuddyWater hacking group uses the following tactics, techniques, and procedures (TTPs) in its new attack campaign:
MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
The MuddyWater APT group uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads.
Tactic: Defense Evasion
MITRE ATT&CK T1027 Obfuscated Files or Information
MuddyWater leverages obfuscated PowerShell scripts to evade defenses.
MITRE ATT&CK T1036 Masquerading
The PowGoop DLL Loader used by the MuddyWater cyber espionage group impersonates the legitimate goopdate86.dll file used by the Google Update mechanism.
MITRE ATT&CK T1574.002 Hijack Execution Flow: DLL Side-Loading
The MuddyWater threat group utilizes DLL side-loading to trick legitimate programs (GoogleUpdate.exe and goopdate86.dll) into running its malicious DLL payloads (goopdate.dll).
Tactic: Command and Control
MITRE ATT&CK T1132 Data Encoding: Non-Standard Encoding
The MuddyWater threat group's PowGoop malware communicates with the C2 server using a modified base64 encoding technique.
MITRE ATT&CK T1572 Protocol Tunneling
The Mori Backdoor utilized by MuddyWater threat actors uses DNS tunneling to communicate with its C2 infrastructure.
MuddyWater APT Group Attacks in Picus Threat Library
Picus Threat Library consists of 71 threats of the MuddyWater threat group, including the following malware:
- Covicli Backdoor
- Delphstats Backdoor
- Empire Post-Exploitation Framework
- Koadic RAT (Remote Access Trojan)
- LaZagne Credential Dumper
- Mimikatz Credential Dumper
- PassDump Infostealer
- POWERSTATS (PowerMud) Backdoor
- PowGoop Loader
- Sharpstats Backdoor
- SSF.MX Backdoor
Indicators of Compromises
- goopdate.dll - First loader of PowGoop
- vcruntime140.dll - First loader of PowGoop
- libpcre2-8-0.dll - First loader of PowGoop
- goopdate.dat - Second loader of PowGoop
- config.txt - Encoded PowerShell downloader
- Other Files