U.S. Cyber Command has exposed a number of open-source tools that it said are being used by the MuddyWater APT, while also officially linking the threat actor to Iran's intelligence agency.
“Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors,” said Cyber Command in a Wednesday post.
MuddyWater has previously been linked to a collection of groups known for conducting Iranian activities that utilize an array of tactics to maintain access to victim networks. The group, which has been tracked by researchers since at least 2017, has launched attacks against governmental targets in the Middle East, including Iraq and Saudi Arabia, as well as Europe and North America. Most recently, the actor was tied to an attack targeting an unnamed Asain airline that used a new backdoor.
Cyber Command solidified this attribution Wednesday, officially confirming that MuddyWater is a “subordinate element” within Iran's Ministry of Intelligence and Security (MOIS). The Department of Defense's cybersecurity arm has periodically released samples attributed to various threat actors, including ones posted in April 2021 linked to APT29 actors for network infiltration through the SolarWinds supply chain compromise.
Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, said that there was previously an assumption by some security researchers that MuddyWater was linked to the Islamic Revolutionary Guard Corps (IRGC), Iran's elite military force, rather than MOIS. However, Cyber Command’s new announcement has “set the record straight," he said.
“Since the discovery of this cluster of activity, you’ve seen people immediately attribute this to Iran and assume there are Iranian state interests involved, but I don’t think any private sector researchers were able to cross beyond that. It’s amazing to see Cyber Command step in and set the record straight and say this is MOIS… I think we can take it in good faith that they have their reasons for making this assertion.”
"There’s a reason why you really want to pool all this data together and make sure everyone is sharing visibility because everybody is getting a portion of the puzzle."
The samples include malware called PowGoop, which was previously analyzed by Palo Alto Networks’ Unit 42 security team as part of a 2020 cyberattack. In this attack, researchers said actors utilized PowGoop as a downloader while deploying the Thanos ransomware at a Middle Eastern state-run organization. PowGoop contains two components, they said: A DLL loader, responsible for decrypting and running PowerShell-based code, and the subsequent PowerShell-based downloader, which has a filename goopdate.dll and is likely sideloaded by a legitimate Google Update executable.
U.S. Cyber Command referenced this sideloading process while pointing to three PowGoop samples identified in a folder with several other legitimate executables and DLLs. The loader DLL, goopdate.dll, runs when the non-malicious, legitimate GoogleUpdate.exe file runs. This in turn leads to a series of de-obfuscations that eventually runs a PowerShell script, which establishes network communication with the PowGoop command-and-control (C2) server. Goopdate.dll hides its communications with the C2 by executing with Google Update service, according to Cyber Command.
SentinelOne researchers said on Wednesday they have also identified newer variants of the PowGoop loader that show that beyond GoogleUpdate.exe, the threat group has also abused additional non-malicious pieces of software in order to sideload the malicious DLLs. including Git.exe, FileSyncConfig.exe and Inno_Updater.exe.
“We identified newer variants of PowGoop loader that involve significant changes, suggesting the group continues to use and maintain it even after recent exposures,” SentinelOne researchers said. “The new variants reveal that the threat group has expanded its arsenal of legitimate software used to load malicious DLLs.”
“MuddyWater has been tracked extensively and people stay abreast of them because they are so prolific,” he said. “The activity sets weren’t unfamiliar to us, but there was more than we’d seen and there were variations we hadn’t seen. There’s a reason why you really want to pool all this data together and make sure everyone is sharing visibility because everybody is getting a portion of the puzzle.”