Threat Research

APT Profile: MuddyWater – Cyfirma

Cyfirma

MuddyWater is an Iranian-linked APT that uses in-memory PowerShell “living off the land” techniques and phishing to maintain stealthy access across Middle Eastern targets. Recent campaigns deployed a custom backdoor called BugSleep for remote command execution and file transfer. #MuddyWater #BugSleep

Keypoints

  • MuddyWater is assessed to be affiliated with the Iranian government and is espionage-motivated.
  • Primary targets are organizations across the Middle East, including Saudi Arabia, UAE, Iraq, and recently Israel.
  • Operates with in-memory PowerShell “living off the land” techniques to avoid writing new binaries and reduce detection.
  • Uses spear-phishing (often from compromised organizational accounts) to deploy legitimate remote management tools like Atera Agent and Screen Connect.
  • Has developed and deployed a custom implant called BugSleep for remote command execution and file transfer.
  • Employs a toolkit including POWERSTATS, PowGoop, Mimikatz, Chisel, Remadmin, Quarks pwDump, and others to move laterally, steal credentials, and tunnel traffic.
  • Has leveraged multiple known CVEs (e.g., CVE-2017-0199, CVE-2020-1472) in its operations.

MITRE Techniques

  • [T1589.002] Reconnaissance – Conducts target research to build operational context (‘Conducts reconnaissance to gather information about targets.’)
  • [T1574.002] Persistence – Implements persistence mechanisms to maintain access on compromised hosts (‘Establishes persistence mechanisms to maintain access.’)
  • [T1053.005] Discovery – Performs discovery to enumerate system and environment details (‘Uses discovery techniques to identify system information.’)
  • [T1583.006] Resource Development – Builds tooling and infrastructure for operations (‘Develops resources for future operations.’)
  • [T1566.001] Initial Access – Gains initial access via phishing and compromised email accounts to deliver remote management tools (‘Gains initial access through phishing campaigns.’ / ‘compromised organizational email accounts to send phishing messages… deploy legitimate remote management tools like Atera Agent and Screen Connect.’)
  • [T1210] Lateral Movement – Moves laterally within networks to reach additional systems (‘Moves laterally within the network to access other systems.’)
  • [T1059.003] Execution – Executes remote commands on infected hosts to control systems (‘Executes commands on compromised systems.’)
  • [T1562.001] Defense Evasion – Uses techniques to evade detection and reduce forensic footprint (‘Evades detection mechanisms to maintain access.’)
  • [T1555] Credential Access – Attempts to harvest and reuse credentials to escalate access (‘Attempts to access and steal credentials.’)
  • [T1041] Exfiltration – Transfers stolen data off compromised systems to external servers (‘Exfiltrates data from compromised systems.’)

Indicators of Compromise

  • [Malware/Tool names] tools used by MuddyWater – BugSleep, POWERSTATS, and other items like PowGoop, Mimikatz, Chisel, Remadmin, Quarks pwDump, Thanos.
  • [Legitimate remote management tools] used as delivery/persistence vectors – Atera Agent, Screen Connect.
  • [Vulnerability IDs] exploited in campaigns – CVE-2017-0199, CVE-2020-1472, and 4 other CVEs listed in the report.
  • [Source URL/domain] reporting and IOC reference – https://www.cyfirma.com/research/apt-profile-muddywater/

MuddyWater’s technical approach centers on delivering initial access via spear-phishing—frequently using compromised organizational email accounts—to get targets to install or enable legitimate remote management software (notably Atera Agent and Screen Connect). Once access is achieved, operators prefer in-memory PowerShell “living off the land” techniques and downloader frameworks (e.g., PowGoop/POWERSTATS) to avoid dropping new binaries, maintain stealth, and execute payloads directly in memory.

The group deploys tooling for credential theft (Mimikatz, Quarks pwDump), tunneling and remote access (Chisel, Remadmin, Secure Sockets Funneling), and lateral movement, leveraging harvested credentials and scheduled/task execution patterns for persistence. Recently, MuddyWater has begun deploying a custom backdoor called BugSleep that provides remote command execution and file transfer functionality between infected hosts and C2 servers, while continuing to exploit a set of known CVEs to gain or escalate access.

Defensive priorities against these techniques include monitoring for anomalous use of legitimate remote management software, detecting in-memory PowerShell activity and uncommon command execution patterns, hunting for indicators associated with the listed tools and CVEs, and protecting credential stores to disrupt lateral movement and persistence attempts.

Read more: https://www.cyfirma.com/research/apt-profile-muddywater/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint