US and UK details a new Python backdoor used by MuddyWater APT group

US and UK cybersecurity agencies provided details of a new malware used by Iran-linked MuddyWater APT.

CISA, the FBI, the US Cyber Command’s Cyber National Mission Force (CNMF), UK’s National Cyber Security Centre (NCSC-UK), and the NSA, and law enforcement agencies have published a joint advisory on new malware used by Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) in attacks aimed at critical infrastructure worldwide.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations. 

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

According to the joint report published by UK and US agencies, MuddyWater is targeting organizations in multiple sectors, including telecommunications, defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.

The report provides technical details about multiple pieces of malware in the arsenal of APT group, including PowGoop, Canopy/Starwhale, Mori, POWERSTATS and a previously unknown Python backdoor named Small Sieve.

Small Sieve is distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe which also achieves persistence by adding a registry run key.

“MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., “Microsift”) and Outlook in its filenames associated with Small Sieve [T1036.005].” reads the advisory.

Small Sieve implements backdoor capabilities and attempts to avoid detection by using custom string and traffic obfuscation schemes along with the Telegram Bot application programming interface (API).

“Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS), and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function.” continues the advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]