digraph {
label=<Muddy Water
Multiple campaigns attributed to an Iranian state-based actor.
Author: Mia Sanchez <msanchez@mitre.org>
Created: 2022-10-27 02:44:54.520000+00:00
Modified: 2024-01-24 15:57:08.572000+00:00>;
labelloc="t";
"threat-actor--271b7d86-4114-418a-80e5-e085637585f1" [label=<
Threat Actor | |
Name | MuddyWater |
Description | APT group attributed to Iran's Ministry of Intelliigence and Security (MOIS) |
First Seen | 2017-01-01 00:00:00+00:00 |
Sophistication | strategic |
Resource Level | government |
Primary Motivation | organizational-gain |
Campaign | |
Name | Turkey |
Description | targets Turkish private organizations and governmental institution. used malicious PDFs, XLS files, Windows executables, malicious PowerShell-based downloaders, and canary tokens |
First Seen | 2021-11-01 04:00:00+00:00 |
Objective | espionage |
Action: T1566.001 | |
Name | Spearphishing Attachment |
Description | This campaign begins by delivering malicious PDF attachments with embedded links to victims via email |
Confidence | Very Probable |
Action: T1204.001 | |
Name | Malicious Link |
Description | The PDF gives an error message, prompting the user to click on a link to the file hosting domain and downloading malicious XLS file containing macros. |
Confidence | Very Probable |
Infrastructure | |
Name | File hosting domain |
Description | snapfile[.]org hosts malicious excel documents (XLS maldocs) and executables |
Infrastructure Types | hosting-malware |
Tool | |
Name | XLS maldocs |
Description | Malicious excel documents delivered to a victim in the form of a PDF document with embedded links. Some files had Turkish language names and masqueraded as legitimate documents. |
Tool Types | exploitation |
Condition | |
Description | User opens the PDF attachment |
Action: T1547.001 | |
Name | Registry Run Keys / Startup Folder |
Description | VBA macros creates a VB script set up persistence by creating a malicious Registry Run key for the infected user: HKCU\\Software\\Microsoft\\windows\\Curr entVersion\\Run | <random> |
Confidence | Very Probable |
Action: T1059.005 | |
Name | Visual Basic |
Description | An intermediate VB Script file is used to execute a dropped PowerShell script for persistence |
Confidence | Very Probable |
Action: T1059.001 | |
Name | PowerShell |
Description | The PS script is located in the maldoc's metadata, with later versions obfuscated, and is dropped by the macro. It uses the VB Script file to execute. It downloads and executes another PowerShell script from a remote location. It attempts twice to download the PowerShell script, with a custom timeout of 40 seconds and a custom user agent. |
Confidence | Very Probable |
Action: T1566.001 | |
Name | Spearphishing Attachment |
Description | This campaign begins by delivering malicious PDF attachments with embedded links to victims via email. |
Confidence | Very Probable |
Action: T1204.001 | |
Name | Malicious Link |
Description | The PDF gives an error message, prompting the user to click on a link to the file hosting domain |
Confidence | Very Probable |
Infrastructure | |
Name | File hosting domain |
Description | snapfile[.]org hosts malicious executables |
Infrastructure Types | hosting-malware |
Tool | |
Name | Windows Executables |
Description | Malicious executables delivered to a victim in the form of a PDF document with embedded links. Some files had Turkish language names and masqueraded as legitimate documents. |
Tool Types | exploitation |
Condition | |
Description | User opens the PDF attachment |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | The file hosting domain dropped a malicious executable. |
Confidence | Very Probable |
Asset: Specific executable file | |
Description | Surec_No_cc2021-pdf377811f-66ad-4397-bd3 5-3247101e2fda-eta332018.exe |
Action: T1036 | |
Name | Masquerading |
Description | A decoy PDF or Office document in hex format is dropped into the user's temporary folder. The hex representation of the decoy document is hexlified to create a readable copy in the %temp% folder |
Confidence | Very Probable |
Condition | |
Description | The executable runs |
Condition | |
Description | Decoy file is opened by the system PDF or document reader and displayed to the victim |
Action | |
Name | Directory created |
Description | Implant creates directory in user's home folder |
Confidence | Very Probable |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | Implant drops an instrumentor script that is used to activate the next stage from a disk called ".CloudCache.conf" |
Confidence | Very Probable |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | Implant drops a downloader script used to download the next stage from a remote location for execution on the endpoint called ".CloudDrive.conf" |
Confidence | Very Probable |
Action: T1547.001 | |
Name | Registry Run Keys / Startup Folder |
Description | A Registry Run key for the infected user: HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS \\CURRENTVERSION\\RUN | <Some Application Name> |
Confidence | Very Probable |
Tool | |
Name | LoLBin |
Description | LoLBin DLL called SyncAppvPublishingServer.vbs is sometimes used to execute the PowerShell script on reboot or re-login |
Tool Types | exploitation |
Action | |
Name | Execution |
Description | SyncAppvPublishingServer.vbs is used to execute the code stored in the instrumentor script |
Confidence | Very Probable |
Action: T1140 | |
Name | Deobfuscate/Decode Files or Information |
Description | The instrumentor script base64 decodes the contents of hte download script |
Confidence | Very Probable |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | The downloader script downloads and executes another PowerShell script from a remote location. |
Confidence | Very Probable |
Condition | |
Description | The downloaded PowerShell scripts execute in order. |
Tool | |
Name | SyncAppvPublishingServer.vbs |
Description | a LoLBin DLL |
Tool Types | exploitation |
Action | |
Name | Execution |
Description | The instrumentor script executes the decoded download script |
Confidence | Very Probable |
Note | |
Abstract | Older variant of the campaign |
Content | This path shows the behaviors observed in earlier campaigns. This is the path explained in the Attack Flow "Best Practices" guide. |
Object Refs | attack-action--2cdde459-21d7-424b-8cfe-676dee071b83 |
Note | |
Abstract | Newer variation of the campaign |
Content | This path shows the behaviors observed in later campaigns. |
Object Refs | attack-action--eba614a5-5809-4986-b216-1aa171df0dec |
Note | |
Abstract | Evolution of Maldocs |
Content | The maldocs from the campaign show an evolution of their implementation, resulting in completely obfuscated versions. Some documents contain subtle changes, such as including information in the metadata fields, indicating the potential that attackers were testing different version of the maldocs. Initial versions of the maldocs included an un-obfuscated PowerShell payload in the document's comments fields. Subsequent iterations included obfuscated code blocks. |
Object Refs | attack-action--1695cced-1223-43ce-87b5-4c0ed7b1a4ad |
Note | |
Abstract | Tracking Tokens |
Content | Tracking Tokens: Tracking Infections - Token created by the same user as the canary token. Attackers use this token to tracking who is detonating the malicious code to keep track of successful infections. Tracking Tokens: Anti-Analysis - Systems housing malicious payloads may require multiple, simultaneous requests to the token. This requirement would prevent researchers from requesting the malicious payloads without registering with the canary tokens using a HTTP request. Tracking Tokens: Timing Checks - A short time interval between token requests and payload requests can indicate a automated analysis via sandbox. Attackers could prevent payloads from downloading if the timing between requests is too small. Tracking Tokens: Blocked Infrastructure - The tokens can be monitored to determine if payloads are not being requested from the payload server. If repeated requests to the canary tokens, but not the payload server, this could indicate that the payload server is being blocked. |
Object Refs | attack-action--8ad927ad-f4b2-44f4-b81c-052f7f0f8245 |
Note | |
Abstract | Executables |
Content | Executables use a Turkish name and could be delivered via a malicious PDF or independently. |
Object Refs | attack-action--68b96b87-8744-49dd-9028-437cea0aa4ef |
Action | |
Name | Canary Tokens |
Description | Included in the latest versions of the VBA code. Canary tokens are embedded in objects like documents, web pages, and emails. When the object is opened, a HTTP request to canarytokens.com is generated and alerts the token's owner that the object was opened. VBA code can make HTTP requests to a canary token from canarytokens[.]com. The token silently executes twice during the VBA macro execution. |
Confidence | Very Probable |
Action: T1059.001 | |
Name | PowerShell |
Description | The PS script is located in the maldoc's metadata, with later versions obfuscated, and is dropped by the macro. It uses the VB Script file to execute. It downloads and executes another PowerShell script from a remote location. It attempts twice to download the PowerShell script, with a custom timeout of 40 seconds and a custom user agent. |
Confidence | Very Probable |
Action | |
Name | Collection |
Description | Collects intellectual property data from private entities, universities, and research labs. |
Confidence | Speculation |
Action: T1486 | |
Name | Data Encrypted for Impact |
Description | |
Confidence | Speculation |
Action | |
Name | Exfiltration |
Description | Exfiltrate intellectual property. |
Confidence | Speculation |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | The downloader script downloads and executes another PowerShell script from a remote location. |
Confidence | Very Probable |
Action: T1059.001 | |
Name | PowerShell |
Description | Executes a final payload stage. |
Confidence | Speculation |
Note | |
Abstract | Speculation |
Content | Cisco researchers were unable to obtain a copy of the final stage payload for analysis; they speculated this final part of the flow based on prior MuddyWater behavior. |
Object Refs | attack-action--c1c8d659-2a90-415a-a671-5ee7a3e1510e |
Action: T1105 | |
Name | Ingress Tool Transfer |
Description | The Excel macros download and execute additional malware stages. |
Confidence | Very Probable |
Action: T1059.005 | |
Name | Visual Basic |
Description | The VBA Macros in the Excel file begin executing the infection chain. |
Confidence | Very Probable |
File | |
Name | Teklif_form_onaylı.xls |
Mime Type | application/vnd.ms-excel |
Defanged | False |
Action: T1204.002 | |
Name | Malicious File |
Description | The link drops a malicious Excel file that contains VBA macros. |
Confidence | Very Probable |
Action: T1218 | |
Name | System Binary Proxy Execution |
Description | LoLBin DLL called pcwutl.dll is sometimes used to execute the VBScript on reboot or re-login. |
Confidence | Very Probable |