What Is Continuous Threat Exposure Management (CTEM)?

Suleyman Ozarslan, PhD & Hüseyin Can Yüceel | January 13, 2022
United States Cyber Command (USCYBERCOM) issued an alert today (January 13, 2022), reporting malicious cyber operations by Iranian MOIS (Ministry of Intelligence and Security) sponsored MuddyWater APT (advanced persistent threat) group.
MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.
In this attack campaign, the MuddyWater cyber-espionage group mainly uses the PowGoop DLL Loader and Mori Backdoor. The next session explains how the threat actor leverages them in target networks.
1. The legitimate GoogleUpdate.exe loads the legitimate goopdate86.dll binary into memory.
2. goopdate86.dll loads the malicious goopdate.dll (the first loader of PowGoop) into memory using the DLL side-loading technique. MuddyWater also uses libpcre2-8-0.dll and vcruntime140.dll names for this first loader.
3. Loaded goopdate.dll executes rundll32.exe with the DllRegisterServer parameter.
4. The malicious goopdate.dll's export DllRegisterServer is executed, which loads the second loader goopdate.dat into memory. goopdate.dat is an obfuscated PowerShell script.
5. goopdate.dll de-obfuscates and executes goopdate.dat. Then, goopdate.dat de-obfuscates and runs config.txt, which is actually another obfuscated PowerShell script.
6. The encoded config.txt PowerShell script then establishes a connection to the PowGoop Command and Control (C2) server using a modified base64 encoding mechanism. It works as a downloader, waiting for additional payloads. Often, the IP address of the C2 server is hardcoded in config.txt. By utilizing the Google Update service, goopdate.dll conceals communications with C2 servers.
The MuddyWater hacking group uses the following tactics, techniques, and procedures (TTPs) in its new attack campaign:
MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
The MuddyWater APT group uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads.
MITRE ATT&CK T1027 Obfuscated Files or Information
MuddyWater leverages obfuscated PowerShell scripts to evade defenses.
MITRE ATT&CK T1036 Masquerading
The PowGoop DLL Loader used by the MuddyWater cyber espionage group impersonates the legitimate goopdate86.dll file used by the Google Update mechanism.
MITRE ATT&CK T1574.002 Hijack Execution Flow: DLL Side-Loading
The MuddyWater threat group utilizes DLL side-loading to trick legitimate programs (GoogleUpdate.exe and goopdate86.dll) into running its malicious DLL payloads (goopdate.dll).
MITRE ATT&CK T1132 Data Encoding: Non-Standard Encoding
The MuddyWater threat group's PowGoop malware communicates with the C2 server using a modified base64 encoding technique.
MITRE ATT&CK T1572 Protocol Tunneling
The Mori Backdoor utilized by MuddyWater threat actors uses DNS tunneling to communicate with its C2 infrastructure.
Picus Threat Library consists of 71 threats of the MuddyWater threat group, including the following malware: