MuddyWater disguised a state-sponsored cyber-espionage operation as a Chaos ransomware attack, using Microsoft Teams social engineering to steal credentials, bypass MFA, and establish remote persistence. Rapid7 attributes the incident to MuddyWater based on infrastructure overlap, a unique code-signing certificate, and operational tradecraft, suggesting the ransomware was a cover for espionage rather than financial gain. #MuddyWater #Chaos #MicrosoftTeams #Game.exe #Qilin #MOIS
Keypoints
- MuddyWater masqueraded as the Chaos ransomware group to obscure true attribution.
- Attackers used Microsoft Teams social engineering to initiate chats, screen sharing, and credential harvesting.
- Credential theft methods included phishing pages and tricking victims into typing passwords into local files.
- Persistence and remote access were achieved via RDP, DWAgent, AnyDesk, and a custom backdoor (Game.exe) dropped by ms_upd.exe.
- Rapid7’s attribution cites infrastructure overlap, a code-signing certificate linked to Stagecomp/Darkcomp, and operational tradecraft pointing to MuddyWater.