An array of customized attack tools are helping the MuddyWater advanced persistent threat (APT) group to successfully exfiltrate data from its governmental and telco targets in the Middle East; an analysis of this toolset reveals a moderately sophisticated threat actor at work – with the potential to get even more dangerous over time.
An analysis from Kaspersky Lab released Monday shows that post-infection, the gang reaches for multiple, relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based coding. The arsenal includes download/execute tools and remote access trojans (RATs) written in C# and Python; SSH Python scripts; and multiple Python tools for the extraction of credentials, history and more.
Kaspersky Lab also found that the group uses various deception techniques to derail detection efforts, such as Chinese strings, Russian strings and an impersonation of a completely different hacking group known as RXR Saudi Arabia.
A Battalion of RATs and More
Some of MuddyWater’s tools include proprietary efforts such as Nihay, a C# download-and-execute tool. It downloads a PowerShell one-liner from a hardcoded URL, researchers found. Like the other malicious code offerings from MuddyWater, this is a straightforward and simple malware that has but a single job.
Another tool that the researchers observed is a C# RAT called LisfonService. It “randomly chooses a URL from a huge array of hardcoded proxy URLs hiding the real C2 server,” according to the analysis, and is tasked with registering a victim with the C2 by collecting the user name, domain or workgroup name, machine name, machine internal IP address, OS version, OS build and public IP address. This information is used later to request commands from the C2, such as executing PowerShell code or crashing the system.
Another RAT called Client.Py is a Python 3.6 RAT is a bit more advanced; it supports basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command-execution and displaying an alert message for the victim in a message box.
While most of the tools that MuddyWater uses are custom-developed, there are a handful that are based on more generic and publicly available ones, researchers added.
Deception
Appropriately given the APT’s name, one of the ways that MuddyWater throws forensics off the trail of attribution is by planting false flags, the analysis shows – including the incorporation of different languages into the coding.
“Multiple Chinese strings can be found in some PowerShell RAT payloads (such as Ffb8ea0347a3af3dd2ab1b4e5a1be18a) that seem to have been left in on purpose, probably to make attribution harder,” according to Kaspersky Lab.
This also holds true for a series of Russian words that researchers found in another PowerShell sample.
“Attackers used Russian words as the RC4 key when establishing a connection to the C2 server,” the team noted. It added, “Interestingly, when visiting the C2, it displays a blank webpage whose HTML source code shows a strange HTML tag value that suggests attackers have tried to impersonate a Saudi hacking group called RXR Saudi Arabia.”
In all, the MuddyWater APT shows the hallmarks of being a moderately sophisticated threat group that has built up a reasonably advanced armory to carry out their efforts. Lately those efforts have included attacks on government and telco targets in Bahrain, Iraq, Jordan, Lebanon, Saudi Arabia and Turkey, as well as a few other countries in nearby regions (Afghanistan, Azerbaijan and Pakistan), researchers said.
“These tools…seem to allow them flexibility to adapt and customize the toolset for victims,” according to Kaspersky Lab. “This continuous capability to steadily adjust and enhance attacks, adapting well to the changing Middle Eastern geopolitical scene, seems to make this actor a solid adversary that keeps growing. We expect it to keep developing or acquiring additional tools and abilities, possibly including zero-days.”