RustyWater
RustyWater is a Rust-based implant used by MuddyWater. Historically, MuddyWater has used PowerShell-based tools and RustyWater reflects a shift in tooling, demonstrating better techniques for defense evasion and reverse engineering.[1]
Associated Software Descriptions
| Name | Description |
|---|---|
| Archer RAT / RUSTRIC |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
RustyWater has gathered the domain membership of the victim machine’s user.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RustyWater has used the Rust request library for HTTP C2 communication.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RustyWater has established persistence by adding |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
RustyWater has encoded collected data with Base64.[1] |
| Enterprise | T1622 | Debugger Evasion |
RustyWater has registered a Vectored Exception Handler (VEH) to catch debugging efforts.[1] |
|
| Enterprise | T1678 | Delay Execution |
RustyWater has generated random sleep intervals between C2 communication.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
RustyWater has used the WriteHexToFile function to transform an embedded hex string to the payload CertificationKit.ini.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RustyWater has encrypted encoded data with XOR before sending it to the C2 server.[1] |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
RustyWater has used a WScript.Shell COM object to execute the CertificationKit.ini file.[1] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
RustyWater has used reddit.exe as its file name and a Cloudflare logo.[1] |
| Enterprise | T1106 | Native API |
RustyWater has used |
|
| Enterprise | T1027 | Obfuscated Files or Information |
RustyWater has an obfuscated function (i.e. love_me__()) that dynamically reconstructs the string WScript.Shell using hard-coded ASCII values and the Chr() function.[1] |
|
| .013 | Encrypted/Encoded File |
RustyWater has encrypted all strings in the code using position independent XOR encryption.[1] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
RustyWater has sent spearphishing emails with the attachment Cybersecurity.doc, which served as the primary payload for the next stage.[1] |
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
RustyWater has injected its shellcode into explorer.exe by allocating memory via |
| Enterprise | T1684 | .001 | Social Engineering: Impersonation |
RustyWater has impersonated TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan, sending phishing emails with the email domain |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
RustyWater has attempted to detect more than 25 antivirus and EDR tools.[1] |
| Enterprise | T1082 | System Information Discovery |
RustyWater has gathered the victim machine’s computer name.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
RustyWater has gathered the victim machine’s username.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
RustyWater has used a Word document with a malicious Visual Basic for Applications (VBA) macro; when enabled, the CertificationKit.ini payload is constructed and executed.[1] |