1. Home
  2. Software
  3. Mori

Mori

Mori is a backdoor that has been used by MuddyWater since at least January 2022.[1][2]

ID: S1047
Type: MALWARE
Platforms: Windows
Contributors: Ozer Sarilar, @ozersarilar, STM
Version: 1.0
Created: 30 September 2022
Last Modified: 17 October 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.[1]
.004 Application Layer Protocol: DNS

Mori can use DNS tunneling to communicate with C2.[1][2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Mori can use Base64 encoded JSON libraries used in C2.[1]
Enterprise T1001 .001 Data Obfuscation: Junk Data

Mori has obfuscated the FML.dll with 200MB of junk data.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Mori can resolve networking APIs from strings that are ADD-encrypted.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

Mori can delete its DLL file and related files by Registry value.[1]
Enterprise T1112 Modify Registry

Mori can write data to HKLM\Software\NFC\IPA and HKLM\Software\NFC\ and delete Registry values.[1][2]
Enterprise T1012 Query Registry

Mori can read data from the Registry including from HKLM\Software\NFC\IPA andHKLM\Software\NFC\.[1]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Mori can use regsvr32.exe for DLL execution.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1]

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.