MAR–10369127–1.v1 – MuddyWater

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) to provide detailed analysis of 23 files identified as MuddyWater tools. MuddyWater is a group of Iranian government-sponsored advanced persistent threat actors that conducts cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.

FBI, CISA, CNMF, NCSC-UK, and NSA are distributing this MAR to enable network defense and reduce exposure to Iranian government malicious cyber activity. For more information on malicious Iranian government cyber activity, visit CISA's webpage at https://www.cisa.gov/uscert/iran.

Of the 23 malware samples analyzed, 14 files were identified as variants of the POWGOOP malware family. Two files were identified as JavaScript files that contain a PowerShell beacon. One file was identified as a Mori backdoor sample. Two malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim's system data to a command and control (C2).

The POWGOOP samples were discovered as Windows executables (not included this report) and contain three components:

1)    A dynamic-link library (DLL) file renamed as a legitimate filename to enable the DLL side-loading technique.
2)    An obfuscated PowerShell script, obfuscated as a .dat file used to decrypt a file named "config.txt."
3)    An encoded PowerShell script, obfuscated as a text file containing a beacon to a hardcoded Internet Protocol (IP) address.

These components retrieve encrypted commands from a C2 server. The command is decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.

For a downloadable copy of IOCs, see: MAR-10369127-1.v1.stix.

Click here for a PDF version of this report.

Submitted Files (19)

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141 (Cooperation terms.xls)

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa (goopdate.dll)

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82 (goopdate.dat)

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a (TeresitaJordain_config.txt)

3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8 (FML.dll)

42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986 (rj.js)

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c (ZaibCb15Ak.xls)

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f (Config2.txt)

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4 (Dore.dat)

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7 (Config.txt)

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051 (libpcre2-8-0.dll)

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2 (AntheHannah_config.txt)

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c (note.js)

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504 (Core.dat)

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a (config.txt)

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9 (config.txt)

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92 (vcruntime140.dll)

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13 (Core.dat)

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca (HeidieLeone.txt)

Additional Files (4)

c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e (Outlook.wsf)

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0 (Outlook.wsf)

ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418 (Outlook.wsf)

f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0 (Outlook.wsf)

IPs (7)

185.117.75.34

185.118.164.21

185.183.96.44

185.183.96.7

192.210.191.188

5.199.133.149

88.119.170.124

12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file was identified as a launcher and is contained within an executable "GoogleUpdate.exe" (not included in this submission). The DLL is renamed as a legitimate filename "goopdate.dll" to enable a DLL side-loading technique. Note: goopdate.dll is the name of a module belonging to Goopdate from Google Inc. The DLL side-loading technique is used to rename a malicious DLL to the name of a dependent file of a legitimate executable in order to execute its malicious code. For this variant, GoogleUpdate.exe depends on a legitimate file ‘goopdate.dll’. The malicious POWGOOP DLL is therefore renamed goopdate.dll to force GoogleUpdate.exe to execute the malicious code, which spawns a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function (Figure 1). This results in a PowerShell script, a "goopdate.dat" file (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) decrypting a co-located "config.txt" file (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9), another obfuscated PowerShell script containing the C2 beacon.

Screenshots

2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an obfuscated PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This obfuscated PowerShell script is used to decode and run the additional obfuscated PowerShell script "config.txt" (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

Screenshots

ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This PowerShell script is decoded by "goopdate.dat" (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) and contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]183[.]96[.]7:443/index.php
--End C2 IP address--

The malware used the hardcoded C2 to pass remote commands to the victim machine. The encrypted commands are decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.

The script uses 1-3 randomly generated human names as variables and function names (Figure 4). The script uses a modified Base64 routine adding or subtracting by 2, using two consecutive functions (Base64Dec, QueenieSusanneAvril) to decrypt remote commands to execute locally and two consecutive functions (Marlie, Kassandra) to encrypt the result and pass to the “Cookie:” parameter to be passed back to the C2 node.

The config.txt can be run separately as a .ps1 PowerShell script to execute the de-obfuscated code, which results in the victim machine pulling down any command the threat actor places in the index.php file located at 185[.]183[.]96[.]7:443 (ie. 'whoami') and executes locally on the victim machine. The script exfiltrates the result of the command in a Base64 encoded string passed through the 'Cookie: <Base64_encoded_string>' part of the packet (Figure 6).

Screenshots

185.183.96.7

Tags

command-and-control

URLs

• 185.183.96.7/index.php

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.183.96.7"...

% Information related to '185.183.96.0 - 185.183.96.255'

% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'

inetnum:        185.183.96.0 - 185.183.96.255
netname:        EU-HOSTSAILOR
descr:         HostSailor NL Services
country:        NL
admin-c:        AA31720-RIPE
tech-c:         AA31720-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source:         RIPE

person:         Ali Al-Attiyah
address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +971 455 77 845
nic-hdl:        AA31720-RIPE
mnt-by:         MNT-HS
created:        2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source:         RIPE

% Information related to '185.183.96.0/24AS60117'

route:         185.183.96.0/24
descr:         EU-HOSTSAILOR 185.183.96.0/24
origin:         AS60117
mnt-by:         MNT-HS
created:        2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source:         RIPE

Relationships

Description

config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9) attempts to connect to this IP address.

9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as a launcher and is renamed as a legitimate filename "libpcre2-8-0.dll" to enable a DLL side-loading technique. Note: libpcre2-8-0.dll is a library for Mingw-w64, an open source software development environment. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as a launcher and is renamed as a legitimate filename "vcruntime140.dll" to enable a DLL side-loading technique. Note: vcruntime140.dll is a runtime library for Microsoft Visual Studio. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa).

b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82).

b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]117[.]75[.]34
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.117.75.34

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.117.75.34"...

% Information related to '185.117.75.0 - 185.117.75.255'

% Abuse contact for '185.117.75.0 - 185.117.75.255' is 'abuse@hostsailor.com'

inetnum:        185.117.75.0 - 185.117.75.255
netname:        EU-HOSTSAILOR-20140124
descr:         HostSailor NL Services
country:        NL
admin-c:        AF11712-RIPE
tech-c:         AF11712-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-02-01T08:50:02Z
last-modified: 2016-02-01T08:50:02Z
source:         RIPE

person:         Host Sailor Ltd - Administrative role account
address:        Suite No: 1605, Churchill Executive Tower, Burj Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +97145577845
nic-hdl:        AF11712-RIPE
mnt-by:         MNT-HS
created:        2014-06-30T16:22:26Z
last-modified: 2019-05-29T09:39:31Z
source:         RIPE

Relationships

Description

config.txt (b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a) and HeidieLeone.txt (e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca) attempt to connect to this IP address.

9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
192[.]210[.]191[.]188
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

192.210.191.188

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.arin.net with "n ! NET-192-210-191-0-1"...

NetRange:     192.210.191.0 - 192.210.191.255
CIDR:         192.210.191.0/24
NetName:        CC-192-210-191-0-24
NetHandle:     NET-192-210-191-0-1
Parent:         CC-11 (NET-192-210-128-0-1)
NetType:        Reallocated
OriginAS:     AS36352
Organization: Virtual Machine Solutions LLC (VMSL-100)
RegDate:        2019-03-26
Updated:        2019-03-26
Ref:            https://rdap.arin.net/registry/ip/192.210.191.0

OrgName:        Virtual Machine Solutions LLC
OrgId:         VMSL-100
Address:        12201 Tukwila International Blvd
City:         Seattle
StateProv:     WA
PostalCode:     98168
Country:        US
RegDate:        2016-06-22
Updated:        2020-12-10
Comment:        http://virmach.com/abuse to report abuse.
Ref:            https://rdap.arin.net/registry/entity/VMSL-100

OrgTechHandle: GOLES88-ARIN
OrgTechName: Golestani, Amir
OrgTechPhone: +1-800-877-2176
OrgTechEmail: report@virmach.com
OrgTechRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN

OrgAbuseHandle: GOLES88-ARIN
OrgAbuseName: Golestani, Amir
OrgAbusePhone: +1-800-877-2176
OrgAbuseEmail: report@virmach.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/GOLES88-ARIN

Relationships

Description

Config.txt (9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7) and Config2.txt (5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f) attempt to connect to this IP address.

5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
192[.]210[.]191[.]188
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file was identified as an encrypted PowerShell script; it contains a beacon.

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]183[.]96[.]44
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

185.183.96.44

Tags

command-and-control

Ports

• 443 TCP

Whois

Queried whois.ripe.net with "-B 185.183.96.44"...

% Information related to '185.183.96.0 - 185.183.96.255'

% Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com'

inetnum:        185.183.96.0 - 185.183.96.255
netname:        EU-HOSTSAILOR
descr:         HostSailor NL Services
country:        NL
admin-c:        AA31720-RIPE
tech-c:         AA31720-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HS
created:        2016-12-23T09:52:06Z
last-modified: 2016-12-23T09:52:06Z
source:         RIPE

person:         Ali Al-Attiyah
address:        Suite No: 1605, Churchill Executive Tower, Burf Khalifa Area
address:        Dubai P.O. Box 98362
address:        United Arab Emirates
phone:         +971 455 77 845
nic-hdl:        AA31720-RIPE
mnt-by:         MNT-HS
created:        2016-12-21T19:19:26Z
last-modified: 2019-03-18T14:07:12Z
source:         RIPE

% Information related to '185.183.96.0/24AS60117'

route:         185.183.96.0/24
descr:         EU-HOSTSAILOR 185.183.96.0/24
origin:         AS60117
mnt-by:         MNT-HS
created:        2016-12-23T09:50:04Z
last-modified: 2016-12-23T09:50:04Z
source:         RIPE

Relationships

Description

TeresitaJordain_config.txt (255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a) attempts to connect to this IP address.

e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address:

--Begin C2 IP address--
185[.]117[.]75[.]34
--End C2 IP address--

This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9).

b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a JavaScript file that contains a PowerShell beacon for a GET request to:

--Begin GET request--
185[.]118[.]164[.]21:80/index?param=<computer_name>/<username>
--End GET request--

The JavaScript is launched using the native file “WScript.exe” where the file also creates persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01. The manifestation function shows the parameters used to build the GET request to 185[.]118[.]164[.]21 and the scheduled task (Figure 7 and Figure 8).

As a persistence mechanism, the manifestation function also copies the file to the User’s Contacts folder, and sets a Scheduled Task to recur daily at 10:01 AM, which would relaunch the PowerShell beacon to 185[.]118[.]164[.]213 (Figure 9).

Screenshots