Threat Research

MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign

SekoiaIO

MuddyWater replaced the Atera validator with a custom MuddyRot implant in a recent campaign, introducing a new infection chain that relies on PDFs with embedded links and a bespoke C2-backed backdoor. The report provides IOCs and YARA rules to help defenders detect MuddyRot and track MuddyWater activity. #MuddyRot #MuddyWater #MOIS #Egnyte #Atera #SimpleHelp

Keypoints

  • MuddyWater’s current operation uses a homemade MuddyRot validator instead of the Atera RMM tool for first-stage validation.
  • The infection chain shifted from email-based delivery to PDFs with embedded links directing to an Egnyte-hosted ZIP containing MuddyRot.
  • MuddyRot is a x64 C implant enabling reverse shell, persistence, and file upload/download capabilities, with obfuscated strings and dynamic API loading.
  • The malware uses a mutex (DocumentUpdater) to ensure a single instance and employs scheduled tasks (DocumentsManagerReporter) for persistence.
  • C2 communications occur over a raw TCP socket on port 443 with obfuscated configuration data and a defined command set (upload/download, reverse shell, etc.).
  • The campaign targets Western and Middle Eastern entities, with MOIS attribution and suspected targets in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel.

    • <liIOCs include four MuddyRot-related file hashes, two IPs, an Egnyte domain, and a sample buffer file named “exit”; YARA rules are available on the Sekoia GitHub repo.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “they use public exploits to compromise internet-exposed servers, such as Exchange or SharePoint servers.”
  • [T1566.001] Spearphishing Attachment – “an email (or possibly an instant messaging message) sent from a compromised account. The email included a link to an online storage service hosting a malicious ZIP archive…”
  • [T1566.002] Spearphishing Link – “embedding the links in PDF files instead of emails. By clicking the embedded links, the user is redirected to a webpage hosted on the Egnyte service to download a ZIP archive containing the MuddyRot validator.”
  • [T1105] Ingress Tool Transfer – “the PDF links lead to a ZIP archive containing the MuddyRot validator downloaded from a hosted service (Egnyte).”
  • [T1053.005] Scheduled Task – “the malware establishes persistence… by creating a scheduled task named DocumentsManagerReporter.”
  • [T1027] Obfuscated/Compressed Files and Information – “strings… are obfuscated through a simple method: each character of any relevant string has its decimal value subtracted by an integer.”
  • [T1106] Native API – “the malware uses dynamic import loading using the pair LoadLibrary / GetProcAddress to load methods from various DLLs…GetProcAddress to retrieve addresses of functions from Kernel32.dll, Advapi32.dll, Ole32.dll, and Ws2_32.dll.”

Indicators of Compromise

  • [File hash] MuddyRot related codes – 94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472, b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca, 73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e, 960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
  • [IP] Infrastructure – 91.235.234[.]202, 146.19.143[.]14 (down)
  • [Domain] Egnyte hosting domain – egnyte.com
  • [File name] exit – a buffer file named “exit” used by the C2/data flow
  • [URL] YARA rules repository – https://github.com/SEKOIA-IO/Community/blob/main/IOCs/MuddyWater/yara/

Read more: https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/