The US Cyber Command has identified and disclosed several open-source tools that Iranian intelligence actors, known as MuddyWater, are using to infiltrate networks worldwide.
MuddyWater is an Iran-based threat group previously reported to be targetting Middle Eastern nations and several European and North American countries. The group is considered a branch of the Iranian Ministry of Intelligence and Security, which, in the words of the Congressional Research Service, “conducts domestic surveillance to identify regime opponents”.
The disclosure is aimed at helping people identity MuddyWater’s infiltrations in their network. Should a network operator or administrator identify any of these tools on their network, it can be a good indication of the presence of Iranian cyber actors.
Identifying malicous actors in networks
The Cyber Command also unveiled some technical aspects of how these threat actors could be using malware in target networks. These include side-loading DLLs to hijack legitimate programs to run malware and muddling Powershell scripts to hide their traces and any command and control functions.
- PowGoop Samples: The detected samples are part of the PowGoop instance which hides malicious processes in legitmate ones. In this instance, a file called Goopdate.dll hides communication with the threat actors’ servers by executing with the legitimate Google Update Service.
- PowGoop DLL sideloading vaiants: Uses the aforementioend technique to de-obfuscate files and decode Powershell scripts. The code has been previously used for espionage and ransomware and uses different naming convenctions to avoid antivirus and manual detections.
- PowGoop Loader variants: Instances of these files can also indicate the presence of a threat actor in your network. They also de-obfuscate Powershell scripts that allow attacker command and control functionality.
- PowGoop C2 Beacon variants: These files establish contact between the target network and the malicious host.
- Mori Backdoor samples: The presence of the sample is an indicator of the network already being compromised. The Mori backdoor is used by threat actors for espionage. It uses DNS tunneling to communicate with the command and control infrastructure.