Fooder
Fooder is a custom 64-bit C/C++ loader used by MuddyWater that can decrypt and reflectively load embedded payloads such as a go-socks5 proxy utility, the open-source HackBrowserData infostealer, or the MuddyViper backdoor. Fooder has frequently masqueraded as an entertainment executable, such as the Snake game (e.g., Snake_Game.exe).[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Fooder has used the |
| Enterprise | T1678 | Delay Execution |
Fooder has used a custom delay function ( |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Fooder has decrypted payloads using the WinCrypt API and the AES key.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Fooder has frequently masqueraded as the Snake game, using strings such as "Welcome to snake Game" and mutexes such as "SNAKE_G."[1] |
| Enterprise | T1106 | Native API |
Fooder has used the WinCrypt API for payload decryption, |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Fooder has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified at runtime to produce the AES decryption key.[1] |
|
| Enterprise | T1620 | Reflective Code Loading | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater |
MuddyWater has used Fooder during operations.[1] |