MuddyWater APT Group Using New Malware, US and UK Cybersecurity Agencies Warn

The Iran-linked MuddyWater APT group is using a new malware strain in global attacks against vulnerable infrastructure, according to a joint advisory published yesterday by the NSA, FBI, CISA, the UK’s National Cyber Security Centre (NCSC-UK), the US Cyber National Mission Force (CNMF), and law enforcement agencies.

The group conducts cyber espionage and malicious campaigns targeting organizations in sectors, such as defense, telecommunications, oil and natural gas, and local government in Europe, Africa, Asia, and North America.

“MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros,” according to the report.

Experts first noticed a MuddyWater campaign in late 2017 hitting several targets in the Middle East. The Advanced Persistent Threat (APT) group earned its name after sowing confusion with a series of attacks between February and October 2017 against the US, Israel, Iraq, United Arab Emirates, Saudi Arabia, Pakistan, India, Georgia and Turkey.

The latest advisory offers technical details of several known strains of malware used by the threat actors, including Canopy/Starwhale, PowGoop, POWERSTATS, Mori, but also describes Small Sieve, a previously unknown Python backdoor.

MuddyWater deploys Small Sieve via gram_app.exe, a Nullsoft Scriptable Install System (NSIS) installer that adds a registry run key to enable persistence. The malware grants the attackers backdoor capabilities on the compromised system and dodges detection through traffic obfuscation and custom string schemes using Telegram API over HTTPS.

The US and UK agencies also included a list of mitigation tips against MuddyWater threats:

• Using Multi-Factor Authentication (MFA)
• Restricting administrator privileges
• Deploying application control software to restrict applications and executable codes that users can run
• Enabling anti-malware and antivirus software
• Updating signature definitions on antivirus and anti-malware software
• Installing updates and patches for OS, software, and firmware regularly as soon as they’re released
• Training users to recognize and report social engineering and phishing attempts
• Avoid clicking on hyperlinks or attachments in emails or messages from unknown or untrusted sources
• Adding email banners to emails originating from outside the organizations
• Disabling hyperlinks in received emails
• Implement threat reputation services in operating systems, applications, network devices and email services