Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

TTPs and Malware used by MuddyWater Cyber Espionage Group

TTPs and malware used by Iranian state-sponsored MuddyWaper group

Huseyin Can YUCEEL & Erdem KÜÇÜKMUSTAFA | March 01, 2022

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On February 24rd, 2022, The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued an alert on Iranian state-sponsored Advanced Persistent Threat (APT) group MuddyWater and their recent cyber-espionage operations [1]. Picus Labs added attack simulations for new MuddyWater operations to the Picus Threat Library. In this blog, we explained the new MuddyWater malware types in detail. 

Test your security controls against MuddyWater Attacks

MuddyWater Cyber-Espionage Group

MuddyWater is a cyber-espionage group that targets various organizations in telecommunications, defense, local government, oil, and natural gas sectors worldwide. According to US Cyber Command, MuddyWater operates under the Iranian Ministry of Intelligence and Security (MOIS) and provides confidential information to the Iranian government [2]. In addition to espionage, the APT group operates ransomware attacks. MuddyWater is also known as Static Kitten, Earth Vetala, MERCURY, Seedworm, and TEMP.Zagros. The cyber-espionage group has been known to be active since 2017.

Recently, MuddyWater has been observed to use various malware variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS.

Malware Used by MuddyWater

     1. PowGoop DLL Loader

PowGoop malware is a malicious DLL loader that disguises itself as a legitimate Google Update executable. PowGoop malware is made of 3 components.

  • PowGoop has an executable named GoogleUpdate.exe that contains malicious Goopdate.dll. This DLL is used for DLL side-loading.
  • PowGoop has a PowerShell script named goopdate.dat that decrypts and runs another Powershell script called config.txt
  • The last component of PowGoop is config.txt, a PowerShell script that contains a beacon. The deployed beacon communicates with MuddyWater’s C2 server and downloads additional payloads to the target system under the disguise of the Google Update service.

👉 Check out our blog post on PowGoop for more information.

     2. Small Sieve Backdoor

Small Sieve is a backdoor malware. It is written in Python and communicates with the MuddyWater C2 server using an encrypted channel over Telegram Bot API to avoid detection. Small Sieve is distributed using a Nullsoft Scriptable Install System (NSIS) installer named gram_app.exe. Once executed, it places a Python backdoor called index.exe that can download files and execute commands in the infected system. It also establishes persistence by adding a new registry run key named OutlookMicrosift; the typo is intentional to appear legitimate.

     3. Canopy  (Starwhale)

Canopy is a type of malware called spyware that collects the victim's username, computer name, and IP address and sends it to the MuddyWater group. Canopy malware is also known as Starwhale malware. Canopy is distributed via spearphishing emails with an Excel file named 'Cooperation term.xls' as an attachment. The Excel file contains malicious Visual Basic for Applications and Windows Script File scripts that establish persistence and exfiltrates user data in an encoded format using an HTTP POST request.

     4. Mori

Mori is another backdoor used by the MuddyWater APT group that uses DNS tunneling to exfiltrate the victim’s data to C2 servers of MuddyWater. Mori uses a malicious DLL file named FML.dll that contains junk data to avoid detection.

     5. POWERSTATS

POWERSTATS is a PowerShell-based backdoor that MuddyWater uses to collect confidential information belonging to the victim. POWERSTATS is also known as Powermud backdoor, and it is considered a signature malware for MuddyWater. The malware steals saved passwords to access the victim's email and social media accounts to collect sensitive data.

How Picus Helps Simulate MuddyWater Cyber Attacks?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the MuddyWater attacks. We advise you to simulate MuddyWater cyber-attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate MuddyWater threats.

Test your security controls against MuddyWater Attacks Now!


Threat Name

Backdoor Malware used by Muddywater .EXE File Download (3 variants)

Canopy Malware Dropper used by Muddywater .XLS File Download (1 variant)

Canopy Malware used by Muddywater .WSF File Download (3 variants)

Delphstats Backdoor Malware used by MuddyWater .EXE File Download (1 variant)

Earth Vetala - MuddyWater Dropper .PDF File Download (1 variant)

Earth Vetala - MuddyWater Dropper .RTF File Download (1 variant)

Earth Vetala - MuddyWater PassDump Infostealer .DLL File Download (1 variant)

MuddyWater Exploit Document Malware .DOC File Download (1 variant)

Lazagne Credential Dumper used by MuddyWater .EXE File Download (1 variant)

MuddyWater Macro-Embedded Document Trojan .DOC File Download (7 variants)

Malware Downloader used by Muddywater .DOC File Download (3 variants)

Malware Downloader used by Muddywater .XLS File Download (3 variants)

Mori backdoor used by Muddywater .DLL File Download (1 variant)

MuddyWater APT Scenario

MuddyWater Malware Dropper .DOC File Download (21 variants)

MuddyWater Valyria Trojan .DOC File Download (1 variant)

Powermud Backdoor used by MuddyWater .EXE File Download (9 variants)

PowerShell Based Backdoor used by MuddyWater .DLL File Download (4 variants)

PowerShell Based Backdoor used by MuddyWater .DOC File Download (2 variants)

Powerstats Backdoor Dropper Used by MuddyWater .VBS File Download (1 variant)

Powerstats Backdoor Malware Used by MuddyWater .EXE File Download (4 variants)

Powerstats Backdoor Malware Used by MuddyWater .PS1 File Download (1 variant)

PowGoop Loader used by MuddyWater .DAT File Download (2 variants)

PowGoop Loader used by MuddyWater .DLL File Download (2 variants)

Quicksand - Covicli Backdoor used by Muddywater .DLL File Download (1 variant)

Quicksand - Dropper used by Muddywater .ASPX File Download (1 variant)

Quicksand - Malware Downloader used by Muddywater .PS1 File Download (1 variant)

Quicksand - PowGoop Loader used by Muddywater .DLL File Download (1 variant)

Quicksand - SSF.MX Backdoor used by Muddywater .EXE File Download (1 variant)

Sharpstats Backdoor Malware used by MuddyWater .PS1 File Download (4 variants)

Small Sieve Backdoor used by Muddywater .EXE File Download (2 variants)

MuddyWater Trojan Downloader .JS File Download (2 variants)

MITRE ATT&CK Techniques Used by the MuddyWater APT Group

Reconnaissance

  • T1589.002 Gather Victim Identity Information: Email Addresses

Resource Development

  • T1583.006 Acquire Infrastructure: Web Services

  • T1588.002 Obtain Capabilities: Tool

Initial Access

  • T1566.001 Phishing: Spearphishing Attachment

  • T1566.002 Phishing: Spearphishing Link

Execution

  • T1047 Windows Management Instrumentation

  • T1059.001 Command and Scripting Interpreter: PowerShell

  • T1059.003 Command and Scripting Interpreter: Windows Command Shell

  • T1059.005 Command and Scripting Interpreter: Visual Basic

  • T1059.006 Command and Scripting Interpreter: Python

  • T1059.007 Command and Scripting Interpreter: JavaScript

  • T1203 Exploitation for Client Execution

  • T1204.001 User Execution: Malicious Link

  • T1204.002 User Execution: Malicious File

  • T1559.001 Inter-Process Communication: Component Object Model

  • T1559.002 Inter-Process Communication: Dynamic Data Exchange

Persistence

  • T1053.005 Scheduled Task/Job: Scheduled Task

  • T1137.001 Office Application Startup: Office Template Macros

  • T1543.003 Create or Modify System Process: Windows Service

  • T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

  • T1547.005 Boot or Logon Autostart Execution: Security Support Provider

Privilege Escalation

  • T1134 Access Token Manipulation

  • T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

  • T1555 Credentials from Password Stores

  • T1555.003 Credentials from Web Browsers

Defense Evasion

  • T1027 Obfuscated Files or Information

  • T1027.003 Steganography

  • T1027.004 Compile After Delivery

  • T1027.005 Obfuscated Files or Information: Indicator Removal from Tools

  • T1036.005 Masquerading: Match Legitimate Name or Location

  • T1055.001 Process Injection: Dynamic-link Library Injection

  • T1055.002 Process Injection: Portable Executable Injection

  • T1140 Deobfuscate/Decode Files or Information

  • T1218.003 Signed Binary Proxy Execution: CMSTP

  • T1218.005 Signed Binary Proxy Execution: Mshta

  • T1218.011 Signed Binary Proxy Execution: Rundll32

  • T1480 Execution Guardrails

  • T1562.001 Impair Defenses: Disable or Modify Tools

  • T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

  • T1574.002 Hijack Execution Flow: DLL Side-Loading

  • T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable

  • T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking

  • T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path

Credential Access

  • T1003.001 OS Credential Dumping: LSASS Memory

  • T1003.004 OS Credential Dumping: LSA Secrets

  • T1003.005 OS Credential Dumping: Cached Domain Credentials

  • T1552.001 Unsecured Credentials: Credentials In Files

  • T1552.002 Unsecured Credentials: Credentials in Registry

  • T1552.006 Unsecured Credentials: Group Policy Preferences,

  • T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

Discovery

  • T1005 Data from Local System

  • T1012 Query Registry

  • T1016 System Network Configuration Discovery

  • T1033 System Owner/User Discovery

  • T1049 System Network Connections Discovery

  • T1057 Process Discovery

  • T1082 System Information Discovery

  • T1083 File and Directory Discovery

  • T1087.002 Account Discovery: Domain Account

  • T1482 Domain Trust Discovery

  • T1518 Software Discovery

  • T1518.001 Security Software Discovery

Collection

  • T1056.001 Input Capture: Keylogging

  • T1113 Screen Capture

  • T1123 Audio Capture

  • T1560.001 Archive Collected Data: Archive via Utility

Command and Control

  • T1071.001 Application Layer Protocol: Web Protocols

  • T1090.002 Proxy: External Proxy

  • T1102.002 Web Service: Bidirectional Communication

  • T1104 Multi-Stage Channels

  • T1105 Ingress Tool Transfer

  • T1132.001 Data Encoding: Standard Encoding

  • T1132.002 Data Encoding: Non-Standard Encoding

  • T1219 Remote Access Software

  • T1572 Protocol Tunneling

Exfiltration

  • T1041 Exfiltration Over C2 Channely

Indicators of Compromise (IOCs)

MD5

SHA-1

SHA-256

b0ab12a5a4c232c902cdeba421872c37

a8e7659942cc19f422678181ee23297efa55fa09

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141

e182a861616a9f12bc79988e6a4186af

69840d4c4755cdab01527eacbb48577d973f7157

c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e

cb84c6b5816504c993c33360aeec4705

9f212961d1de465c20e84f3c4d8ac0302e02ce37

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0

e1f97c819b1d26748ed91777084c828e

4209a007fcf4d4913afad323eb1d1ae466f911a6

ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418

0431445d6d6e5802c207c8bc6a6402ea

3765c1ad8a1d936aad88255aef5d6d4ce24f94e8

3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8

15fa3b32539d7453a9a85958b77d4c95

11d594f3b3cf8525682f6214acb7b7782056d282

b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054

5763530f25ed0ec08fb26a30c04009f1

2a6ddf89a8366a262b56a251b00aafaed5321992

bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2

f21371716c281e38b31c03f28d9cc7c0

be9dbee320d8870b3416e9a348f3f5aa92e1081b

f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285

817ab97c5be4f97a3b66d3293e46adc7

9ce6287a4bc8e05b32196769483c98c914cda453

7dc49601fa6485c3a2cb1d519794bee004fb7fc0f3b37394a1aef6fceefec0c8

366910fc6c707b5a760413dd4ab0c8e9

bc3fc89637437aed2223f0a6b4fda73a8afede1a

450302fb71d8e0e30c80f19cfe7fb7801b223754698cac0997eb3a3c8e440a48

fbacc4e15a4c17daac06d180c6db370e

9c483899654caae1ca6a698275535633cd9571be

5cdc7dd6162a8c791d50f5b2c5136d7ba3bf417104e6096bd4a2b76ea499a2f4

59629ec48fec4c8480a9b09471815ad5

ebf083d22fb0cf04cdf0360ac8e892a1df45d1b6

fcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0

325493b99c01f442200316332b1d0b4c

a7b57d47c1b80c61c61c1bcf9089eed6fdaac756

a69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c

218d4151b39e4ece13d3bf5ff4d1121b

28e799d9769bb7e936d1768d498a0d2c7a0d53fb

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82

a65696d6b65f7159c9ffcd4119f60195

570f7272412ff8257ed6868d90727a459e3b179e

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504

a27655d14b0aabec8db70ae08a623317

8344f2c1096687ed83c2bbad0e6e549a71b0c0b1

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa

cec48bcdedebc962ce45b63e201c0624

81f46998c92427032378e5dead48bdfc9128b225

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

c0c2cd5cc018e575816c08b36969c4a6

47a4e0d466bb20cec5d354e56a9aa3f07cec816a

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c

37fa9e6b9be7242984a39a024cade2d5

0211569091b96cffab6918e18ccc97f4b24d88d4

42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986

64fc017a451ef273dcacdf6c099031f3

6aa8b4f4a6fd1b4f768b1ac6faaaddbaa302a585

70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b

3c2a436c73eeb398cfc0923d9b08dcfe

8afe8c82901a1a07fb92d10457617f7eb16a4eea

468e331fd3f9c41399e3e90f6fe033379ab69ced5e11b35665790d4a4b7cf254

2ec61c8b7e57126025ebfdf2438418fc

5844344b5cf4c8d0d577f5506c8e5d4d680bd0d6

ccdddd1ebf3c5de2e68b4dcb8fbc7d4ed32e8f39f6fdf71ac022a7b4d0aa4131

d632c8444aab1b43a663401e80c0bac4

2b3981a8889d51bb14a3a974d1578b0161b8784b

3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb

ff46053ad16728062c6e7235bc7e8deb

a62b4ecfd5929769e5aeaef9785efce1d4919465

6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac

d15aee026074fbd18f780fb51ec0632a

352687a98fb232e5614f7ce7cd57512553535915

af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102

fbe65cd962fc97192d95c40402eee594

dc7fca6a34a3a65cf5df6c17435fc5f2f1c62b93

61072ae06a5e25194e7bf6297026b54ae52fcfc14787ead8866866d8098a1fa3

ee2d1e570be5d53a5c970339991e2fd7

ae0830b1286ad3678bca82105c5db8203035dc72

92bbd427ad2daf5644c5671b6dc369e02c00d03e4a13eadc2bb3025c0cdf3ec2

2c3d8366b6ed1aa5f1710d88b3adb77d

607635ce4cf03548084bc64a65b9ec9c03c86840

6d065532daab06c0b15c73d808c03b8497bb80fdd19c012bfc8771905f1f4066

1d6f241798818e6fdc03015d01e1e680ü

0984f359c1f8c85da5a0662448a4fedab4c524e5

b154d3fd88767776b1e36113c479ef3487ceda0f6e4fc80cef85ba539a589555

b07d9eca8af870722939fd87e928e603

a80c650cd1a486e077b2e1867f36f553cb682a41

19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169

b44ccd6939bdbc8f61c9e71a128b2613

2a7d210f43e1aa80affbbeb7ad5350fc653cb7c4

503b2b01bb58fc433774e41a539ae9b06004c7557ac60e7d8a6823f5da428eb8

692815cce754b02fe5085375cab1f7b2

732284173858d6b671c2fec0456e3c0fdfc063ce

6be18e3afeec482c79c9dea119d11d9c1598f59a260156ee54f12c4d914aed8f

851f083d29c5f8f411a7ad0392c4496c

b1b9fb39ad20f056e352c72e79dfcbde3052d437

484f78eb4a3bb69d62491fdb84f2c81b7ae131ec8452a04d6018a634e961cd6a

8b3da6c97a53188e4af2d404dea654b6

19a2db6bf5987b3961b61c8d19df8fa5f7aee79a

3deaa4072da43185d4213a38403383b7cefe92524b69ce4e7884a3ddc0903f6b

6c303f68b97b72100637735cd2150393

63a8be0e2091f1cb11773e9e0576fdaaf52b6b10

4ba618c04cbdc47de2ab5f2c91f466bc42163fd541de80ab8b5e50f687bbb91c

cf5c526d50a385ba289c08affbdc85ed

dccf6a68d8b413dab46dd0dde2a692d864da7ab4

e241b152e3f672434636c527ae0ebbd08c777f488020c98efce8b324486335c5

d4259eb8e3b90ac08c9337df84468e87

631616a7d6f4d9f83a81e6efdcc03574994c2786

6ee79815f71e2eb4094455993472c7fb185cde484c8b5326e4754adcb1faf78e

6f44e57c81414355e3d0d0dafdf1d80e

4c4ac9a8bda6afc6172d50b25318833eb82045d3

81c7787040ed5ecf21b6f80dc84bc147cec518986bf25aa933dd44c414b5f498

1dae271ffc1841009104521e9c37e993

4f0272f0c41dbd3c4269f864ce30f668b5cb92e8

999e4753749228a60d4d20cc5c5e27ca4275fe63e6083053a5b01b5225c8d53a

ed490e756b349443694d9a14952a0816

dfffeffdcaa90934a8788b72d40b7c44eb343910

4bd93e4a9826a65ade60117f6136cb4ed0e17beae8668a7c7981d15c0bed705a

eed599981c097944fa143e7d7f7e17b1

b604dd6517dfd0df72e52ebc3f92da699c1396cd

a3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981

21aebece73549b3c4355a6060df410e9

dbab599d65a65976e68764b421320ab5af60236f

0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2

5c6148619abb10bb3789dcfb32f759a6

9732cf8c9e84e992d8856537dc5988371bb73f7c

bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6

ddba713c20c232bcd60daf0ffabeffb8

23bae509a3f47223e3ad1c3fadc600cfb63a80d6

1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c

e2ed0be977ab9e50055337ec8eb0ddf4

8e05a8a34855b4bac56cfe223e70479235720c99

51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf

54982c616098f6c6fbc48703922f15f4

9ca4dd5043c18ebbbc9d8c789e3ee67de26c4ad0

51ac160f7d60a9ce642080af0425a446fb25b7067e06b3a9a8ec2f777836efd3

e6e7661efb60b9aea7969a30e17ace19

a2ac825e6def9fb9dcef07e3df84279a343f06c7

5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a

488723b8e56dbaac8ccdc79499037d5f

6db26ce598b86e96ca2ba132d2d847beca8521ee

884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63

fa200e715e856550c76f729604ebaf57

7bf879aaf66bb5fc5b97bb29c966f3b21c8e25c8

bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6

837eaad1187fe9fbf91f9bc7c054f5d9

e5deb0093e08ece9ef1d0a209bd8240bba49b527

bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50

989e9dcc2182e2b5903b9acea03be11d

37df30c904ee7a761120e202c6ea12c9da13f007

c92e70515d594c582e4433f2aca6c8f2aa60f1af0aa21a08173ff2feb7d34359

a750e2885ed3c294de148864723f73e3

f7f8a79d86579d220d0294520e2fcebea53d08f0

f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e

ca9230a54f40a6a0fe52d7379459189c

b6a6139e9037d2719482474c71c4a5d847c717e6

294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d

5935522717aee842433a5de9d228a715

bd2953a4ec7538a5868423e336517376b3dc5864

65bd49d9f6d9b92478e3653362c0031919607302db6cfb3a7c1994d20be18bcc

0cf25597343240f88358c694d7ae7e0a

11e4572812a0835c58f27814b031fb68c22f1a7b

b6c483536379840e89444523d27ac7828b3eb50342b992d2c8f608450cd7bb53

44c900bd374ebce1aac1f1e45958f0fe

0608182a5ee641ac33aea6fbd14862013ccd88e6

e5c56c5b9620fb542eab82bdf75237d179bc996584b5c5f7a1c34ef5ae521c7d

9533003c5f7c718951a3171da03844fb

9e97cf4050fc052ae144fcecb33294c39a7a7672

43080479eb1b00ba80c34272c5595e6ebdc6b0ffabcdc2c40ea2af49fcc43db4

3b6b74bf57746a31b7c8bdbb22282290

128606f1119b6fdcd00937a1fe54dbef18670251

0acd10b14d38a4ac469819dfa9070106e7289ecf7360e248b7f10f868c2f373d

127bd5e7f11977a07428837a2d2fa9f1

6f9d9466babda3473726b96891eb4bcd8098591b

888a6f205ac9fc40d4898d8068b56b32f9692cb75f0dd813f96a7bd8426f8652

b897fa2a9a3067dfd919cc27c269b203

7cb835c87b0fe6f5dc13a668ecb36cc6b35f44cf

4f509354d8b3152a40c64ce61f7594d592c1256ad6c0829760b8dbdcb10579a2

8fbb83e448095d1c73ee1431abc15c80

19e26c789eb5203d9ad94f74cc4369216ae40619

41ee0ab77b474b0c84a1c25591029533f058e4454d9f83ba30159cc6309c65d1

24e1bd221ba3813ed7b6056136237587

8d86e25ee414d49cf925d5fd333443e39eebfc8f

3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c

37f7e6e5f073508e1ee552ebea5d200e

34f4c4ac3500a91c5d9394b247ba1eeb7152535d

d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025

ffb8ea0347a3af3dd2ab1b4e5a1be18a

99d3597fea978d3d8ea6ad1e5727d581ec409c1a

fbbda9d8d9bcaaf9a7af84d08af3f5140f5f75778461e48253dc761cc9dc027c

fdb4b4520034be269a65cfaee555c52e

fe94be7b44239bd1aff24a436294031dd4a2d4c2

240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b

7a2ff07283ddc69d9f34cfa0d3c936d4

db6376bfd590285e271387c81b676281a7a80abb

18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd

9486593e4fb5a4d440093d54a3519187

f9bc806bc1fb99e8e88e3d8f142729bdd5a44ec9

707d2128a0c326626adef0d3a4cab78562abd82c2bd8ede8cc82f86c01f1e024

b8939fa58fad8aa1ec271f6dae0b7255

0336503957730b0669a4575fa64b9c4d9d25f240

76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338

665947cf7037a6772687b69279753cdf

89f726a22b1cad37d95befeed64a6c379f7db2ad

94625dd8151814dd6186735a6a6a87b2a4c71c04b8402caf314fb6f98434eaad

801f34abbf90ac2b4fb4b6289830cd16

0282bf2a9dca0a87e7fe2a12480c1cc2ea234b49

b7b8faac19a58548b28506415f9ece479055e9af0557911ca8bbaa82b483ffb8

68e89d88b7cca6f12707d5a463c9d1d8

7aed1190356493472ffcf1eb2d7d61f1ea3e6809

2727bf97d7e2a5e7e5e41ccbfd7237c59023d70914834400da1d762d96424fde

5bd61a94e7698574eaf82ef277316463

a80655582da300ba1e1c3f4ac78d61a5a8f6d3ab

c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9

bf310319d6ef95f69a45fc4f2d237ed4

f53f52b9aa4573f7250d7693617f8617ec139aad

009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0

1de684f66a87cdf8485f95693d188596

754442f677f4129dbb784b116dad036d543ca725

40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe

3e6e37b381bf968c7718cb2323f275f8

962559d4e17b6d20d19f53cf217f3ed17571b119

16bcb6cc38347a722bb7682799e9d9da40788e3ca15f29e46b475efe869d0a04

ccb6108b7d29e8f3af6275c1256dd82e

0be43791372178a889619025009556c2ea788983

b2c10621c9c901f0f692cae0306baa840105231f35e6ec36e41b88eebd46df4c

c90e22b6579a3447836e299cbc5d0af0

e71258cb7e3e8693369a5fca8824122eaba3f602

58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d

a86249a392b394c803ddbd5bbaa0b4bb

04644126b82e83a6c9ae5da91a3584a41ad7e687

588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f

ebc529b32422b6385b6ba3416c7afe13

2ab8f082762faf97f3cbea43e208a4cee923a115

97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc

9f00ac3bef01d2e3d8ebc48c3468d5c0

80bbed38197bfbf9de7e9ceb7ee084fc773e2b2a

1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce

0873ddb4df8320b493a719bdddd7d182

56420230b25ac7f6d43c223cc303458aa1c60a6e

2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1

b0a365d0648612dfc33d88183ff7b0f0

bb09fa209f596f4390b29cf64034311444464c4b

a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5

0e53da32937cb3718988026d9e96a5f0

08ef2f27cee1b0b80fadc9a5b8e356600ddd199a

367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433

135238bc43fddd0867676aef1e9aaf83

87a6c50d81f1767076027bfa4163a5853645e297

de6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d

65c64c5aa55d3d78f08456cb20012fcf

0b51193e6b17d7be8cd11fe4f330eb4edc6ec394

16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db

2ded75ea4e55ed1dad579b9ce0eb01b2

78b3b382b27b07f18f09806475b02abed7f2ff77

cf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823

 

Reference

[1] “Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-055a.

[2] “Iranian intel cyber suite of malware uses open source tools,” U.S. Cyber Command, Jan. 12, 2022. [Online]. Available: https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/.

DISCOVER
MORE RESOURCES

How to Build a Red Teaming Attack Scenario | Part 1 - Bypass Security Controls

Read More

MITRE ATT&CK T1082 System Information Discovery

Read More

TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign

Read More