Full Report
MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Identification:** Cyberespionage group tracked by ESET researchers.
* **Known Aliases:** Mango Sandstorm, TA450.
* **Associations:** Iran-aligned cyberespionage group with known links to the Ministry of Intelligence and National Security of Iran.
* **Activity Since:** At least 2017.
## Activity Summary
ESET researchers documented a new campaign primarily targeting organizations in Israel, with one confirmed target in Egypt. This recent activity showcases an improved, more sophisticated, and refined approach compared to previous, often noisier, operations. The groups' objective is cyberespionage, notably targeting critical infrastructure. They intentionally avoided noisy, hands-on-keyboard interactive sessions in this campaign.
## Tactics, Techniques & Procedures
* **Defense Evasion/Persistence:** Adopted the next-generation Windows cryptographic API (CNG), which is atypical for Iran-aligned groups.
* **Execution/Persistence:** Utilized a custom **Fooder** loader designed to reflectively load and execute the **MuddyViper** backdoor into memory, often masquerading as the classic Snake game (internal logic includes a custom delay function using `Sleep API` calls to hinder automated analysis).
* **Credential Access:** Employed credential stealers (**CE-Notes** and **LP-Notes**) and **Blub** to steal browser data and Windows login credentials.
* **Defense Evasion:** Deliberately avoided noisy, hands-on-keyboard interactive sessions.
* **Collection:** Process list enumeration, security process checks, data staging on disk.
* Data Staged: Local Data Staging ([T1074.001])
* Archive Collected Data: Used PowerShell’s `Compress-Archive` via HackBrowserData utility ([T1560.001]).
* **Command and Control:** Used **go-socks5** reverse tunneling tools.
* Encrypted Channel: Used AES-CBC for data encryption ([T1573.001]).
* Remote Access Software: Used Atera, Level, and PDQ RMM tools ([T1219]).
* Application Layer Protocol: MuddyViper used HTTPS for C&C communications; tunnels used HTTP/HTTPS ([T1071.001]).
* Ingress Tool Transfer: Capability to download additional payloads ([T1105]).
* Data Obfuscation: Used the Status header in HTTPS communications to hide backdoor command IDs ([T1001]).
* Proxy: Used customized versions of `go-socks5` reverse proxy tools ([T1090]).
* **Exfiltration:** Exfiltrated data over C2 channels (HTTP/HTTPS) ([T1041]). Supported downloading/uploading files in limited chunks ([T1030]).
## Targeting
* **Sectors:** Critical infrastructure, government, military, and telecommunications sectors.
* **Geography:** Primarily Israel, with one confirmed target in Egypt. Historically targets the Middle East and North America.
* **Victims:** Organizations in Israel and Egypt (specific entities not detailed beyond sector).
## Tools & Infrastructure
* **Malware Families/Tools:**
* **MuddyViper:** C/C++ backdoor used for system information collection, file execution, file transfer, and credential exfiltration.
* **Fooder:** Custom loader designed to execute MuddyViper by reflectively loading it into memory.
* Credential Stealers: CE-Notes, LP-Notes, Blub.
* Reverse Tunneling: go-socks5 custom versions.
* RMM Tools: Atera, Level, PDQ.
* **Infrastructure:** C&C communications utilized HTTPS and customized reverse tunnels; specific domains/IPs were not provided in the summary text for defanging.
## Implications
MuddyWater demonstrates an evolving playbook, moving towards more focused and sophisticated operations that heavily incorporate custom tools (like Fooder and MuddyViper) and advanced evasion techniques (like CNG adoption and avoiding noisy interactive C2). This indicates a higher long-term risk to persistently targeted sectors, especially critical infrastructure in the Middle East.
## Mitigations
* Monitor for the deployment of novel custom loaders (e.g., Fooder masquerading as games).
* Monitor for suspicious use of Windows CNG API calls.
* Implement robust detection for known credential stealing tools (CE-Notes, LP-Notes) and the MuddyViper backdoor functionality.
* Monitor for the use of Atera, Level, and PDQ RMM tools post-initial access.
* Conduct network analysis targeting encrypted C2 traffic that utilizes HTTP/HTTPS and inspect unconventional uses of HTTP headers (e.g., Status header).