MAR–10369127–1.v1 – MuddyWater
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionThis Malware Analysis Report (MAR) is the result of analytic efforts by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) to provide detailed analysis of 23 files identified as MuddyWater tools. MuddyWater is a group of Iranian government-sponsored advanced persistent threat actors that conducts cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. FBI, CISA, CNMF, NCSC-UK, and NSA are distributing this MAR to enable network defense and reduce exposure to Iranian government malicious cyber activity. For more information on malicious Iranian government cyber activity, visit CISA's webpage at https://www.cisa.gov/uscert/iran. Of the 23 malware samples analyzed, 14 files were identified as variants of the POWGOOP malware family. Two files were identified as JavaScript files that contain a PowerShell beacon. One file was identified as a Mori backdoor sample. Two malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim's system data to a command and control (C2). The POWGOOP samples were discovered as Windows executables (not included this report) and contain three components: 1) A dynamic-link library (DLL) file renamed as a legitimate filename to enable the DLL side-loading technique. These components retrieve encrypted commands from a C2 server. The command is decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine.
For a downloadable copy of IOCs, see: MAR-10369127-1.v1.stix. Click here for a PDF version of this report. Submitted Files (19)026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141 (Cooperation terms.xls) 12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa (goopdate.dll) 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82 (goopdate.dat) 255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a (TeresitaJordain_config.txt) 3098dd53da40947a82e59265a47059e69b2925bc49c679e6555d102d1c6cbbc8 (FML.dll) 42ca7d3fcd6d220cd380f34f9aa728b3bb68908b49f04d04f685631ee1f78986 (rj.js) 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c (ZaibCb15Ak.xls) 5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f (Config2.txt) 7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4 (Dore.dat) 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7 (Config.txt) 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051 (libpcre2-8-0.dll) 9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2 (AntheHannah_config.txt) b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c (note.js) b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504 (Core.dat) b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a (config.txt) ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9 (config.txt) dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92 (vcruntime140.dll) e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13 (Core.dat) e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca (HeidieLeone.txt) Additional Files (4)c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e (Outlook.wsf) d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0 (Outlook.wsf) ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418 (Outlook.wsf) f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0 (Outlook.wsf) IPs (7)185.117.75.34 185.118.164.21 185.183.96.44 185.183.96.7 192.210.191.188 5.199.133.149 88.119.170.124 Findings12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aaTagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file was identified as a launcher and is contained within an executable "GoogleUpdate.exe" (not included in this submission). The DLL is renamed as a legitimate filename "goopdate.dll" to enable a DLL side-loading technique. Note: goopdate.dll is the name of a module belonging to Goopdate from Google Inc. The DLL side-loading technique is used to rename a malicious DLL to the name of a dependent file of a legitimate executable in order to execute its malicious code. For this variant, GoogleUpdate.exe depends on a legitimate file ‘goopdate.dll’. The malicious POWGOOP DLL is therefore renamed goopdate.dll to force GoogleUpdate.exe to execute the malicious code, which spawns a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function (Figure 1). This results in a PowerShell script, a "goopdate.dat" file (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) decrypting a co-located "config.txt" file (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9), another obfuscated PowerShell script containing the C2 beacon. Screenshots Figure 1 - Screenshot of GoogleUpdate.exe spawning a Rundll32.exe process to launch goopdate.dll with the DllRegisterServer function. Figure 2 - Screenshot of the PowerShell script being decrypted. 2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an obfuscated PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This obfuscated PowerShell script is used to decode and run the additional obfuscated PowerShell script "config.txt" (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). Screenshots Figure 3 - Screenshot of the de-obfuscated PowerShell script. ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an encrypted PowerShell script and is contained within an executable "GoogleUpdate.exe" (not included in this submission). This PowerShell script is decoded by "goopdate.dat" (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82) and contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- The malware used the hardcoded C2 to pass remote commands to the victim machine. The encrypted commands are decrypted on the victim machine and piped into a PowerShell command, sending the results of the command in the Cookie parameter of the return traffic, using the same encryption/Base64 encoding routine. The script uses 1-3 randomly generated human names as variables and function names (Figure 4). The script uses a modified Base64 routine adding or subtracting by 2, using two consecutive functions (Base64Dec, QueenieSusanneAvril) to decrypt remote commands to execute locally and two consecutive functions (Marlie, Kassandra) to encrypt the result and pass to the “Cookie:” parameter to be passed back to the C2 node. The config.txt can be run separately as a .ps1 PowerShell script to execute the de-obfuscated code, which results in the victim machine pulling down any command the threat actor places in the index.php file located at 185[.]183[.]96[.]7:443 (ie. 'whoami') and executes locally on the victim machine. The script exfiltrates the result of the command in a Base64 encoded string passed through the 'Cookie: <Base64_encoded_string>' part of the packet (Figure 6). Screenshots Figure 4 - Screenshot of the script. Figure 5 - Screenshot of the GET request sent over port 443 for "index.php" from the IP address 185[.]183[.]96[.]7. Figure 6 - Screenshot of the GET request. 185.183.96.7Tagscommand-and-control URLs
Ports
WhoisQueried whois.ripe.net with "-B 185.183.96.7"... % Information related to '185.183.96.0 - 185.183.96.255' % Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com' inetnum: 185.183.96.0 - 185.183.96.255 person: Ali Al-Attiyah % Information related to '185.183.96.0/24AS60117' route: 185.183.96.0/24 Relationships
Descriptionconfig.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9) attempts to connect to this IP address. 9d50fcb2c4df4c502db0cac84bef96c2a36d33ef98c454165808ecace4dd2051Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
DescriptionThis file was identified as a launcher and is renamed as a legitimate filename "libpcre2-8-0.dll" to enable a DLL side-loading technique. Note: libpcre2-8-0.dll is a library for Mingw-w64, an open source software development environment. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa). dd7ee54b12a55bcc67da4ceaed6e636b7bd30d4db6f6c594e9510e1e605ade92Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
DescriptionThis file was identified as a launcher and is renamed as a legitimate filename "vcruntime140.dll" to enable a DLL side-loading technique. Note: vcruntime140.dll is a runtime library for Microsoft Visual Studio. This file has similar capabilities as "goopdate.dll" (12db8bcee090521ecf852bf215ce3878737517a22ef1f2ff9bdec7cba8d0d3aa). b5b1e26312e0574464ddef92c51d5f597e07dba90617c0528ec9f494af7e8504Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82). e7baf353aa12ff2571fc5c45184631dc2692e2f0a61b799e29a1525969bf2d13Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82). 7e7545d14df7b618b3b1bc24321780c164a0a14d3600dbac0f91afbce1a2f9f4Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. PE Metadata
PE Sections
Packers/Compilers/Cryptors
DescriptionThis file was identified as an obfuscated PowerShell script and is used to decode and run an additional obfuscated PowerShell script. This file is similar to goopdate.dat (2471a039cb1ddeb826f3a11f89b193624d89052afcbee01205dc92610723eb82). b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1aDetails
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). 185.117.75.34Tagscommand-and-control Ports
WhoisQueried whois.ripe.net with "-B 185.117.75.34"... % Information related to '185.117.75.0 - 185.117.75.255' % Abuse contact for '185.117.75.0 - 185.117.75.255' is 'abuse@hostsailor.com' inetnum: 185.117.75.0 - 185.117.75.255 person: Host Sailor Ltd - Administrative role account Relationships
Descriptionconfig.txt (b6133e04a0a1deb8faf944dd79c46c62f725a72ea9f26dd911d6f6e1e4433f1a) and HeidieLeone.txt (e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431eca) attempt to connect to this IP address. 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). 192.210.191.188Tagscommand-and-control Ports
WhoisQueried whois.arin.net with "n ! NET-192-210-191-0-1"... NetRange: 192.210.191.0 - 192.210.191.255 OrgName: Virtual Machine Solutions LLC OrgTechHandle: GOLES88-ARIN OrgAbuseHandle: GOLES88-ARIN Relationships
DescriptionConfig.txt (9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7) and Config2.txt (5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564f) attempt to connect to this IP address. 5bcdd422089ed96d6711fa251544e2e863b113973db328590cfe0457bfeb564fTagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). 9ec8319e278d1b3fa1ccf87b5ce7dd6802dac76881e4e4e16e240c5a98f107e2Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon. This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). 255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625aDetails
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). 185.183.96.44Tagscommand-and-control Ports
WhoisQueried whois.ripe.net with "-B 185.183.96.44"... % Information related to '185.183.96.0 - 185.183.96.255' % Abuse contact for '185.183.96.0 - 185.183.96.255' is 'abuse@hostsailor.com' inetnum: 185.183.96.0 - 185.183.96.255 person: Ali Al-Attiyah % Information related to '185.183.96.0/24AS60117' route: 185.183.96.0/24 Relationships
DescriptionTeresitaJordain_config.txt (255e53af8b079c8319ce52583293723551da9affe547da45e2c1d4257cff625a) attempts to connect to this IP address. e7f6c7b91c482c12fc905b84dbaa9001ef78dc6a771773e1de4b8eade5431ecaDetails
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file was identified as an encrypted PowerShell script; it contains a beacon to the following hardcoded IP address: --Begin C2 IP address-- This file has similar capabilities as config.txt (ce9bd1acf37119ff73b4dff989f2791eb24efc891a413df58856d848f0bcaee9). b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76cTagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file is a JavaScript file that contains a PowerShell beacon for a GET request to: --Begin GET request-- The JavaScript is launched using the native file “WScript.exe” where the file also creates persistence by copying itself to the user’s Contacts folder and creating a Scheduled Task to relaunch the PowerShell script daily at 10:01. The manifestation function shows the parameters used to build the GET request to 185[.]118[.]164[.]21 and the scheduled task (Figure 7 and Figure 8). As a persistence mechanism, the manifestation function also copies the file to the User’s Contacts folder, and sets a Scheduled Task to recur daily at 10:01 AM, which would relaunch the PowerShell beacon to 185[.]118[.]164[.]213 (Figure 9). Screenshots Figure 7 - Screenshot of the main code for the JavaScript. |