'MuddyWater' APT Spotted Attacking Android

Cyber espionage attack group adds mobile malware to its toolset.

Dark Reading logo in a gray background | Dark Reading

KASPERSKY SECURITY ANALYST SUMMIT - Singapore - A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices.

The so-called MuddyWater hacking group, which has been in action since at least 2017, also has created new backdoor malware for spying on its targets, and has been spotted employing false flag tactics to throw off researchers and investigators, according to security researchers at Trend Micro, who here today shared the details of the Iranian hacking team's latest activities.

MuddyWater's attack campaigns to date have been focused on gaining access to telecom providers and government entities, initially via spear phishing emails. But despite all of the intel gathered on the gang's tactics, tools, payloads, and indicators of compromise, Trend Micro researchers Jaromir Horejsi and Daniel Lunghi said MuddyWater's actual endgame remains a mystery to them.

The Android malware is one of their latest attack tools: the researchers found three samples, two of which they believe were test code that dates back to around December 2017. They found clues that the third attack malware program may have been dropped via a compromised Turkish website and targeting victims in Afghanistan. The malware performs classic cyber espionage tasks such as gathering the devices' contacts, call logs, and SMS text messages, and can retrieve the Android's geolocation information.

"It's pretty clear that it's cyber espionage," Horejsi said. The Android malware is likely yet another spying mechanism they can use on their targets, he said.

"They start infecting the machine and maybe if they need some more information and [their victim] is using mobile apps more, they try to make them install it [the Android malware]," he said.

MuddyWater's infrastructure historically has encompassed some 30 IPs for command-and-control, six different domain names, eight different cloud service provider accounts, and 4,100 compromised WordPress servers that they use as proxies in their attacks, according to Trend's findings.

The group has successfully compromised more than 1,600 targets in 55 different organizations, according to Lunghi. "But we don't see everything," he said, so this may just be a snapshot of MuddyWater's scope, he said.

The hacking group recently swapped out its previous command-and-control infrastructure of hacked WordPress websites. That shift may be because they don't totally control the WordPress sites, and out of concern that the sites could leak information on MuddyWater campaigns and victims, according to the researchers.

False Flags & Weak OPSEC

Horejsi and Lunghi found multiple instances of the attackers posing as hackers from other regions. The attackers have written comments and debugging strings in Chinese in their backdoor Trojan code, quotes in Hebrew from famous Israelis, and even posed behind a Russian username in a rigged document's metadata, all in an apparent attempt to appear to be from anywhere but Iran.

They use three main custom backdoors: one that uses a cloud service for stealing, storing, and downloading files; a .NET-based one that runs PowerShell to upload and download files; and a Delphi-based one that captures the victim's system information.

Once the attackers successfully drop their implants, they pivot to known tools such as Meterpreter, Mimikatz, SMBmap, and other IT and security tools to blend into the network.

But MuddyWater has been a bit sloppy, too: it uses weak and breakable cryptography, and poorly configured compromised victim servers that ultimately led Trend's researchers to find more victims of the attacks.

In one case, they found in one of the malicious files a screenshot of one of the attackers' machines that exposed its browser tabs and other information.

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Related Content:

 

 

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights