MuddyWater

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to FIN7, but the group is believed to be a distinct group possibly motivated by espionage.[1][2][3][4][5]

ID: G0069
Associated Groups: Seedworm, TEMP.Zagros
Version: 2.3
Created: 18 April 2018
Last Modified: 29 July 2020

Associated Group Descriptions

Name Description
Seedworm

[2]

TEMP.Zagros

[6]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.[3]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MuddyWater has used HTTP for C2 communications.[4]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.[6][7][8][5]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

MuddyWater has used a custom tool for creating reverse shells.[2] MuddyWater has used JavaScript files to execute its POWERSTATS payload.[6][9][7][2][3]

.001 Command and Scripting Interpreter: PowerShell

MuddyWater has used PowerShell for execution.[6][9][7][2][3][8][5]

.005 Command and Scripting Interpreter: Visual Basic

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[6][9][7][2][3][4][5]

Enterprise T1555 Credentials from Password Stores

MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.[1][2]

.003 Credentials from Web Browsers

MuddyWater has run a tool that steals passwords saved in victim web browsers.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

MuddyWater has base64 encoded C2 communications.[4]

Enterprise T1140 Deobfuscate/Decode Files or Information

MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[6][9][3]

Enterprise T1041 Exfiltration Over C2 Channel

MuddyWater has used C2 infrastructure to receive exfiltrated data.[5]

Enterprise T1203 Exploitation for Client Execution

MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.[4]

Enterprise T1083 File and Directory Discovery

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[7]

Enterprise T1105 Ingress Tool Transfer

MuddyWater has used malware that can upload additional files to the victim’s machine.[7][3][5]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.[7]

.001 Inter-Process Communication: Component Object Model

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[7][4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

MuddyWater has used filenames and Registry key names associated with Windows Defender.[6][8]

Enterprise T1104 Multi-Stage Channels

MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.[8]

Enterprise T1027 Obfuscated Files or Information

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework.[1][10] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[1][6][7][8][4]

.004 Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[3]

.003 Steganography

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.[3]

Enterprise T1137 .001 Office Application Startup: Office Template Macros

MuddyWater has used a Word Template, Normal.dotm, for persistence.[5]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

MuddyWater has performed credential dumping with Mimikatz.[1][2]

.004 OS Credential Dumping: LSA Secrets

MuddyWater has performed credential dumping with LaZagne.[1][2]

.005 OS Credential Dumping: Cached Domain Credentials

MuddyWater has performed credential dumping with LaZagne.[1][2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[1][6][7][4]

Enterprise T1057 Process Discovery

MuddyWater has used malware to obtain a list of running processes on the system.[7][4]

Enterprise T1090 .002 Proxy: External Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.[2] MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).[5]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

MuddyWater has used scheduled tasks to establish persistence.[5]

Enterprise T1113 Screen Capture

MuddyWater has used malware that can capture screenshots of the victim’s machine.[7]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[7]

.003 Signed Binary Proxy Execution: CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[6]

.005 Signed Binary Proxy Execution: Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[6][7]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[7]

Enterprise T1082 System Information Discovery

MuddyWater has used malware that can collect the victim’s OS version and machine name.[7][8][5]

Enterprise T1016 System Network Configuration Discovery

MuddyWater has used malware to collect the victim’s IP address and domain name.[7]

Enterprise T1033 System Owner/User Discovery

MuddyWater has used malware that can collect the victim’s username.[7]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

MuddyWater has run a tool that steals passwords saved in victim email.[2]

Enterprise T1204 .002 User Execution: Malicious File

MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[1][6][7][8][4][5]

Enterprise T1047 Windows Management Instrumentation

MuddyWater has used malware that leveraged WMI for execution and querying host information.[7][3][8]

Software

ID Name References Techniques
S0488 CrackMapExec [11][2] Account Discovery: Domain Account, Brute Force: Password Guessing, Brute Force, Brute Force: Password Spraying, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At (Windows), System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0363 Empire [11] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0250 Koadic [5][11] Abuse Elevation Control Mechanism: Bypass User Account Control, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Data from Local System, Encrypted Channel: Asymmetric Cryptography, Ingress Tool Transfer, Network Service Scanning, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Signed Binary Proxy Execution: Rundll32, Signed Binary Proxy Execution: Mshta, Signed Binary Proxy Execution: Regsvr32, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0349 LaZagne [2][11] Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Keychain, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0002 Mimikatz [1][11] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0194 PowerSploit [11] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Portable Executable Injection, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0223 POWERSTATS [1][6][3][2][4] Account Discovery: Local Account, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript/JScript, Commonly Used Port, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Dynamic Data Exchange, Inter-Process Communication: Component Object Model, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Process Discovery, Proxy: External Proxy, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Mshta, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0450 SHARPSTATS [11] Command and Scripting Interpreter: PowerShell, Ingress Tool Transfer, Obfuscated Files or Information, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References