Full Report
The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence. [...]
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Actor Identification:** MuddyWater is an Iranian state-sponsored cyber-espionage group.
* **Aliases:** Static Kitten, Mango Sandstorm, Seedworm.
* **Affiliation:** Linked to Iran’s Ministry of Intelligence and Security (MOIS).
* **Associated Groups:** Chaos (used as a decoy/ransomware-as-a-service brand).
## Activity Summary
The reported campaign involves MuddyWater disguising its cyber-espionage activities as a **Chaos ransomware** attack. The operation utilized social engineering via Microsoft Teams to gain initial access. While the attack featured hallmarks of criminal activity—including data exfiltration, extortion emails, and a listing on the Chaos leak portal—analysis indicates the ransomware was a decoy intended to complicate attribution and mask the primary goal of intelligence gathering.
## Tactics, Techniques & Procedures
* **Social Engineering:** Initiating chats with employees via Microsoft Teams; establishing screen-sharing sessions to harvest credentials.
* **Phishing:** Using fake Microsoft Quick Assist pages to steal credentials.
* **MFA Manipulation:** Modifying multi-factor authentication settings to ensure persistent access.
* **Persistence:** Utilizing RDP, DWAgent, and AnyDesk for remote access and lateral movement.
* **Evasion:** Deployment of ransomware (Chaos) as a "false flag" to hide espionage motives; use of custom loaders with anti-analysis/anti-VM checks.
* **Execution:** Leveraging a custom backdoor (`Game.exe`) disguised as a Microsoft WebView2 application.
* **MITRE ATT&CK Indicators:**
* T1566 (Phishing)
* T1213.002 (Data from Information Repositories: Sharepoint/Teams)
* T1133 (External Remote Services)
* T1486 (Data Encrypted for Impact - *as a decoy*)
## Targeting
* **Sectors:** Historically targets government organizations; the decoy ransomware brand (Chaos) often targets large-scale enterprises ("big-game hunting").
* **Geography:** Global; specifically mentions recent activity targeting organizations in the United States and Israel.
* **Victims:** Over 100 government organizations via previous backdoors (Phoenix); recent activity involves targeting an Israeli organization (previously masked as Qilin ransomware).
## Tools & Infrastructure
* **Malware Families:**
* `Game.exe` (Custom backdoor)
* `ms_upd.exe` (Malware loader)
* Stagecomp and Darkcomp (Malware attributed via code-signing certificates)
* Chaos Ransomware (Decoy)
* Qilin Ransomware (Previous decoy)
* **Legitimate Software (Dual-Use):** AnyDesk, DWAgent, RDP, Microsoft Quick Assist, Microsoft Teams.
* **Infrastructure:** Overlapping infrastructure with known MuddyWater/MOIS operational tradecraft.
## Implications
MuddyWater is demonstrating an increasing convergence between state-sponsored espionage and criminal tradecraft. By adopting the branding and tactics of Ransomware-as-a-Service (RaaS) groups, they effectively lower the risk of direct political attribution to the Iranian government. This "ransomware-as-decoy" strategy suggests that researchers must look beyond the final payload (encryption) to the underlying TTPs to determine the true intent of an intrusion.
## Mitigations
* **Communication Controls:** Restrict or monitor external Microsoft Teams chat requests and screen-sharing capabilities.
* **Credential Protection:** Implement robust phishing protections and train employees to recognize social engineering via collaboration platforms.
* **Application Whitelisting:** Monitor for unauthorized remote access tools like AnyDesk and DWAgent.
* **MFA Security:** Regularly audit MFA settings and logs for unauthorized changes or "MFA fatigue" attack patterns.
* **Endpoint Monitoring:** Hunt for suspicious processes such as `ms_upd.exe` or unauthorized instances of `WebView2` execution.