Threat Research

MuddyWater’s UDPGangster Backdoor

Securonix
MuddyWater’s UDPGangster Backdoor

FortiGuard Labs and PolySwarm analyzed UDPGangster, a UDP-based backdoor tied to the MuddyWater threat actor that targets users in Turkey, Israel, and Azerbaijan via phishing emails containing macro-enabled Word documents. The malware uses UDP C2 on port 1269, extensive anti-analysis checks, persistence via AppData and registry run keys, and supports commands for remote execution, file exfiltration, payload deployment, and C2 updates. #UDPGangster #MuddyWater

Keypoints

  • UDPGangster communicates with its C2 over UDP (port 1269), enabling stealthy, non-TCP command-and-control channels.
  • Initial access is achieved through spear-phishing emails with macro-enabled Word attachments (e.g., seminer.doc/seminer.zip) that execute VBA macros on Document_Open.
  • The VBA macros use Base64 decoding and drop payloads (saved as ui.txt then executed) while swapping decoy images to hide malicious activity.
  • Comprehensive anti-analysis and sandbox-avoidance checks detect debuggers, virtual machines, low CPU cores, low RAM, virtual MAC prefixes, suspicious processes/services, registry artifacts, and sandbox DLLs.
  • Persistence is established by copying to %AppData%RoamingLowSystemProc.exe, creating a mutex (xhxhxhxhxhxpp), and adding a registry run entry under HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell.
  • UDPGangster supports multiple C2 commands for heartbeat, cmd.exe execution, file exfiltration, payload deployment, and C2 updates, and overlaps with Phoenix backdoor infrastructure link it to MuddyWater operations in the region.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Phishing emails deliver macro-enabled Word documents as attachments to initiate compromise. (‘The delivery starts with phishing emails mimicking official entities… attach files like seminer.doc or seminer.zip.’)
  • [T1204.002 ] User Execution: Malicious File – Victims are tricked into enabling macros which run on Document_Open to decode and execute embedded payloads. (‘Opening the document prompts users to enable content, activating embedded VBA macros.’)
  • [T1027 ] Obfuscated Files or Information – The macro decodes Base64 data from a hidden form field and the malware encodes system information using an ROR transformation to evade inspection. (‘decode Base64 data from a hidden form field… encodes it with an ROR transformation’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence is achieved by adding a registry entry under the user run key path. (‘adds a registry entry under HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell’)
  • [T1497 ] Virtualization/Sandbox Evasion – The malware performs extensive anti-analysis checks for VMs, low hardware resources, virtual MAC prefixes, sandbox DLLs, and suspicious processes to avoid analysis. (‘detects debuggers, low-core CPUs… virtual MAC prefixes from vendors like VMware and VirtualBox using GetAdaptersInfo’)
  • [T1095 ] Non-Application Layer Protocol – C2 communication uses UDP rather than typical TCP-based application protocols to bypass network defenses. (‘establishes remote access over UDP… transmits to the C2 on UDP port 1269.’)
  • [T1059 ] Command and Scripting Interpreter – The backdoor supports remote command execution, including invoking cmd.exe via specific C2 commands. (‘Supported commands include 0x0A for cmd.exe execution’)
  • [T1041 ] Exfiltration Over C2 Channel – The malware supports file exfiltration via C2 commands to steal data from compromised hosts. (‘Supported commands include… 0x14 for file exfiltration’)
  • [T1105 ] Ingress Tool Transfer – UDPGangster can deploy additional payloads and update components from its C2 infrastructure. (‘0x1E for payload deployment, and 0x63 for C2 updates.’)

Indicators of Compromise

  • [File Hash ] Sample associated with the activity – 7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53
  • [File Names ] Malicious documents and dropped binaries – seminer.doc, seminer.zip, ui.txt, %AppData%RoamingLowSystemProc.exe
  • [Mutex ] Malware runtime artifact – xhxhxhxhxhxpp
  • [Registry Key ] Persistence mechanism – HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell
  • [Network ] C2 communication channel – UDP port 1269 (used to transmit encoded system info and receive commands)

Read more: https://blog.polyswarm.io/muddywaters-udpgangster-backdoor