US and UK expose new malware used by MuddyWater hackers - BleepingComputer
2022-02-24 18:16 (EST) - Sergiu Gatlan
US and UK cybersecurity and law enforcement agencies today shared information on new malware deployed by the Iranian-backed MuddyWatter hacking group in attacks targeting critical infrastructure worldwide.
This was revealed today in a joint advisory issued by CISA, the Federal Bureau of Investigation (FBI), the US Cyber Command's Cyber National Mission Force (CNMF), UK's National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA).
MuddyWater is "targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America," the two governments said .
This threat group uses multiple malware strains—including PowGoop, Canopy/Starwhale, Mori, POWERSTATS, as well as previously unknown ones—to deploy second-stage malware on compromised systems, for backdoor access, to maintain persistence, and for data exfiltration.
Among the malware detailed today, the US and UK agencies highlighted a new Python backdoor (dubbed Small Sieve ) used by MuddyWater operators for persistence and a PowerShell backdoor used to encrypt command-and-control (C2) communication channels.
"Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API)," the advisory reads .
"Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS), and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function."
IRANIAN INTELLIGENCE AGENCY HACKERS
The MuddyWatter cyber-espionage group (aka Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros) has been active since at least 2017 . It is known for focusing its attacks on Middle Eastern entities and continually upgrading its malware toolkit.
Even though relatively new, the Iranian-sponsored threat group is very active , and it targets telecommunications, government (IT services), and oil industry organizations.
It also expanded attacks to government and defense entities in Central and Southwest Asia, as well as privately-held and public orgs from North America, Europe, and Asia [ 1 , 2 , 3 ].
In January 2022, MuddyWatter was officially linked to Iran's Ministry of Intelligence and Security (MOIS), the country's leading government intelligence agency, by the US Cyber Command (USCYBERCOM).
Today's alert follows a similar one issued on Wednesday attributing new malware dubbed Cyclops Blink to the Russian-backed Sandworm hacking group.
Sandworm operators have been using Cyclops Blink since at least June 2019 to build a new botnet replacing VPNFilter by ensnaring vulnerable WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices.
