U.S. Cyber Command has exposed a number of open-source tools that it said are being used by the MuddyWater APT, while also officially linking the threat actor to Iran's intelligence agency.
The 17 samples released by Cyber Command to VirusTotal include different parts of side-loading DLLs that are used by the actor to trick legitimate programs into running malware and obfuscate PowerShell scripts to hide command and control functions; as well as JavaScript files that establish connections to actor-controlled infrastructure.
“Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors,” said Cyber Command in a Wednesday post.
MuddyWater has previously been linked to a collection of groups known for conducting Iranian activities that utilize an array of tactics to maintain access to victim networks. The group, which has been tracked by researchers since at least 2017, has launched attacks against governmental targets in the Middle East, including Iraq and Saudi Arabia, as well as Europe and North America. Most recently, the actor was tied to an attack targeting an unnamed Asain airline that used a new backdoor.
Cyber Command solidified this attribution Wednesday, officially confirming that MuddyWater is a “subordinate element” within Iran's Ministry of Intelligence and Security (MOIS). The Department of Defense's cybersecurity arm has periodically released samples attributed to various threat actors, including ones posted in April 2021 linked to APT29 actors for network infiltration through the SolarWinds supply chain compromise.
Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, said that there was previously an assumption by some security researchers that MuddyWater was linked to the Islamic Revolutionary Guard Corps (IRGC), Iran's elite military force, rather than MOIS. However, Cyber Command’s new announcement has “set the record straight," he said.
“Since the discovery of this cluster of activity, you’ve seen people immediately attribute this to Iran and assume there are Iranian state interests involved, but I don’t think any private sector researchers were able to cross beyond that. It’s amazing to see Cyber Command step in and set the record straight and say this is MOIS… I think we can take it in good faith that they have their reasons for making this assertion.”
"There’s a reason why you really want to pool all this data together and make sure everyone is sharing visibility because everybody is getting a portion of the puzzle."
The samples include malware called PowGoop, which was previously analyzed by Palo Alto Networks’ Unit 42 security team as part of a 2020 cyberattack. In this attack, researchers said actors utilized PowGoop as a downloader while deploying the Thanos ransomware at a Middle Eastern state-run organization. PowGoop contains two components, they said: A DLL loader, responsible for decrypting and running PowerShell-based code, and the subsequent PowerShell-based downloader, which has a filename goopdate.dll and is likely sideloaded by a legitimate Google Update executable.
U.S. Cyber Command referenced this sideloading process while pointing to three PowGoop samples identified in a folder with several other legitimate executables and DLLs. The loader DLL, goopdate.dll, runs when the non-malicious, legitimate GoogleUpdate.exe file runs. This in turn leads to a series of de-obfuscations that eventually runs a PowerShell script, which establishes network communication with the PowGoop command-and-control (C2) server. Goopdate.dll hides its communications with the C2 by executing with Google Update service, according to Cyber Command.
SentinelOne researchers said on Wednesday they have also identified newer variants of the PowGoop loader that show that beyond GoogleUpdate.exe, the threat group has also abused additional non-malicious pieces of software in order to sideload the malicious DLLs. including Git.exe, FileSyncConfig.exe and Inno_Updater.exe.
“We identified newer variants of PowGoop loader that involve significant changes, suggesting the group continues to use and maintain it even after recent exposures,” SentinelOne researchers said. “The new variants reveal that the threat group has expanded its arsenal of legitimate software used to load malicious DLLs.”
Cyber Command also shed light on additional PowGoop DLL side-loading variants, which consist of open-source code used for espionage and ransomware. Additional PowGoop loader variants were also identified that have worked to de-obfuscate a PowerShell script enabling attacker command and control functions; and PowGoop C2 Beacon variants were highlighted that reach out from victim networks and contact malicious infrastructure. Finally, Cyber Command highlighted JavaScript samples that are associated with groups employing PowGoop in order to issue a GET request to malicious servers; and a Mori backdoor sample that Cyber Command said has been employed by bad actors for espionage.
Guerrero-Saade said some of these tools hadn’t been seen before, such as the JavaScript frameworks, giving valuable insights into MuddyWater’s operations.
“MuddyWater has been tracked extensively and people stay abreast of them because they are so prolific,” he said. “The activity sets weren’t unfamiliar to us, but there was more than we’d seen and there were variations we hadn’t seen. There’s a reason why you really want to pool all this data together and make sure everyone is sharing visibility because everybody is getting a portion of the puzzle.”