MuddyWater: From Canaries to Turkeys

Back to the list of Speakers and Sessions
Watch the stream
In January 2022, US Cyber command attributed Muddywater to the Iranian Ministry of Information and Security, which caught some attention by the cyber security community. The reason being the fact that

Since late 2021 through 2022, Iranian based threat actor Muddywater has been conducting several operations using different methods of operation targeting victims in different geographies including Europe, the Middle East and Asia- culminating into the attribution by the U.S. Cyber Command of the group to Iran’s Ministry of Intelligence Services (MOIS) instead of the IRGC like it was previously believed.These campaigns show the flexibility and capability of this group when it comes to employing different methods of operation to achieve their goals. We will start by describing three very distinct MuddyWater campaigns which are linked together by methods of operation and tools. The campaigns consisted of highly targeted attacks on Turkish governmental organizations. This was the first campaign that we saw using Canarytokens to signal payload activation. Our analysis of this method led us to create different hypotheses for the usage of this novel method. * Bypass URL analyses - If the Canary token is not activated then the C2 would not deliver the payload. This thwarts an isolated analysis of the C2 payload url. * Determination of the C2 URL blocking. - Several requests to the token without any requests to the C2 indicate blocking of the C2 by a victim’s organization. * Anti-Analysis checks - Canary token requests followed immediately by a request for the payload within a reasonable timeframe may also be used to determine automated analysis such as a sandbox based analysis - This is essentially a timing check or sorts.

This campaign also had a mixed stage payload delivery - on one side it uses the common malicious VBA macros via Office documents; on the other it used double extension executables that seem to have been created with a builder. This builder was also used in other campaigns, targeting Armenia and Pakistan. This builder seems to be a recent addition - first seen in the wild around mid 2021 - to MuddyWater’s arsenal and can expedite the creation of new campaigns with little to no effort. Interestingly, the Pakistani wave was the first observed instance of the group’s use of the token system. In this attack instance, the group used their own servers/remote-locations to record infection tokens. This technique was then migrated into Canary tokens - observed in the previous campaign targeting Turkey.

In the meanwhile a third campaign using yet another method of infection has been also uncovered by us. This time Muddywater used a WSF based RAT to execute remote commands, which usually culminates with the installation of a commercial remote administration tool such as remote viewers. This seems to be the method of operation preferred to target countries in the Arabian peninsula. Finally, our presentation will end with a review of the timeline of the campaigns and tool capabilities, describing their evolution over the course of 2021, covering the three different campaigns that MuddyWater has carried out. We will demonstrate that the group tested some techniques in some campaigns and adopted them in later campaigns as a definitive modus operandi. The mix and match of some campaigns raises the possibility that Muddywater is in fact a collective of groups working together and sharing tools, where each group focuses on specific regions of the world, while sharing techniques and procedures across the teams. With this presentation the audience will have a better understanding of the Muddywater APT group, their methods of operation and the tools, all put into their evolution context and usage.