TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


United States Cyber Command (USCYBERCOM) issued an alert today (January 13, 2022),  reporting malicious cyber operations by Iranian MOIS (Ministry of Intelligence and Security) sponsored MuddyWater APT (advanced persistent threat) group.

MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.

In this attack campaign, the MuddyWater cyber-espionage group mainly uses the PowGoop DLL Loader and Mori Backdoor. The next session explains how the threat actor leverages them in target networks.

Attack Chain of the PowGoop DLL Loader

1. The legitimate GoogleUpdate.exe loads the legitimate goopdate86.dll binary into memory.

2. goopdate86.dll loads the malicious goopdate.dll (the first loader of PowGoop) into memory using the DLL side-loading technique. MuddyWater also uses libpcre2-8-0.dll and vcruntime140.dll names for this first loader.

3. Loaded goopdate.dll executes rundll32.exe with the DllRegisterServer parameter.

4. The malicious goopdate.dll's export DllRegisterServer is executed, which loads the second loader goopdate.dat into memory. goopdate.dat is an obfuscated PowerShell script.

5. goopdate.dll de-obfuscates and executes goopdate.dat. Then, goopdate.dat de-obfuscates and runs config.txt, which is actually another obfuscated PowerShell script.

6. The encoded config.txt PowerShell script then establishes a connection to the PowGoop Command and Control (C2) server using a modified base64 encoding mechanism. It works as a downloader, waiting for additional payloads. Often, the IP address of the C2 server is hardcoded in config.txt. By utilizing the Google Update service, goopdate.dll conceals communications with C2 servers.

Test your security controls now: Simulate MuddyWater attacks with Picus

TTPs Used by the MuddyWater APT Group in the New Attack Campaign

The MuddyWater hacking group uses the following tactics, techniques, and procedures (TTPs) in its new attack campaign:

Tactic: Execution

MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell

The MuddyWater APT group uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads.

Tactic: Defense Evasion

MITRE ATT&CK T1027 Obfuscated Files or Information

MuddyWater leverages obfuscated PowerShell scripts to evade defenses.

MITRE ATT&CK T1036 Masquerading

The PowGoop DLL Loader used by the MuddyWater cyber espionage group impersonates the legitimate goopdate86.dll file used by the Google Update mechanism.

MITRE ATT&CK T1574.002 Hijack Execution Flow: DLL Side-Loading

The MuddyWater threat group utilizes DLL side-loading to trick legitimate programs (GoogleUpdate.exe and goopdate86.dll) into running its malicious DLL payloads (goopdate.dll). 

Tactic: Command and Control

MITRE ATT&CK T1132 Data Encoding: Non-Standard Encoding 

The MuddyWater threat group's  PowGoop malware communicates with the C2 server using a modified base64 encoding technique.

MITRE ATT&CK T1572 Protocol Tunneling

The Mori Backdoor utilized by MuddyWater threat actors uses DNS tunneling to communicate with its C2 infrastructure.

MuddyWater APT Group Attacks in Picus Threat Library

Picus Threat Library consists of 71 threats of the MuddyWater threat group, including the following malware: 

  • Covicli Backdoor
  • Delphstats Backdoor
  • Empire Post-Exploitation Framework
  • Koadic RAT (Remote Access Trojan)
  • LaZagne Credential Dumper
  • Mimikatz Credential Dumper
  • PassDump Infostealer 
  • POWERSTATS (PowerMud) Backdoor
  • PowGoop Loader
  • Sharpstats Backdoor
  • SSF.MX Backdoor

Test your security controls now: Simulate MuddyWater attacks with Picus

Indicators of Compromises

SHA-256 Hashes

  • goopdate.dll - First loader of PowGoop
  • vcruntime140.dll - First loader of PowGoop
  • libpcre2-8-0.dll - First loader of PowGoop
  • goopdate.dat - Second loader of PowGoop
  • config.txt - Encoded PowerShell downloader
  • JavaScript files - Issues  GET requests to C2 servers
  • Other Files