1. Home
  2. Software
  3. Small Sieve

Small Sieve

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]

ID: S1035
Associated Software: GRAMDOOR
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 August 2022
Last Modified: 14 October 2022
Version Permalink

Associated Software Descriptions

Name Description
GRAMDOOR

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Small Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift for persistence.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Small Sieve can use cmd.exe to execute commands on a victim's system.[2]
.006 Command and Scripting Interpreter: Python

Small Sieve can use Python scripts to execute commands.[2]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.[1][2]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.[1]
Enterprise T1480 Execution Guardrails

Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.[2]
Enterprise T1105 Ingress Tool Transfer

Small Sieve has the ability to download files.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.[2]
Enterprise T1027 Obfuscated Files or Information

Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[2]
Enterprise T1016 System Network Configuration Discovery

Small Sieve can obtain the IP address of a victim host.[2]
Enterprise T1033 System Owner/User Discovery

Small Sieve can obtain the id of a logged in user.[2]
Enterprise T1102 .002 Web Service: Bidirectional Communication

Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.[2]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1][2]

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  2. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  1. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.