Threat Research

Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage

CTI

Group-IB Threat Intelligence details a MuddyWater espionage campaign targeting international organizations worldwide, using compromised mailboxes accessed via NordVPN to dispatch phishing emails that deliver malicious Word documents. The operation deploys Phoenix backdoor version 4 with the FakeUpdate injector, employs a new RMM tool and a custom browser credential stealer, and demonstrates Iran-linked MuddyWater’s evolved tradecraft against governmental targets #MuddyWater #PhoenixBackdoor #FakeUpdate #NordVPN #ScreenAI

Keypoints

  • MuddyWater is targeting international organizations in an espionage campaign.
  • Phishing emails delivered via compromised NordVPN mailboxes lure victims with malicious Word attachments.
  • Macros enable the dropper, leading to FakeUpdate injector and Phoenix backdoor version 4 deployment.
  • A new Remote Monitoring and Management tool and a custom browser credential stealer were observed on the C2 infrastructure.
  • Group-IB attributes attribution to MuddyWater with high confidence based on macro and infrastructure overlap.

MITRE Techniques

  • [T1566] Phishing: Spearphishing Attachment – Initial access via phishing emails delivering malicious Word attachments that prompt recipients to enable macros. ‘The phishing emails contain Microsoft Word documents that prompted recipients (victims) to enable macros in order to view the content.’
  • [T1059] Visual Basic – The macros embed malicious Visual Basic for Applications (VBA) code that executed to drop and load payload. ‘the embedded VBA code executed functioning as a dropper that decoded and wrote a loader to disk before executing it.’
  • [T1082] System Information Discovery – The malware gathers system information such as computer name, domain/workgroup, Windows version, and username. ‘Gather system information, including computer name, domain/workgroup, Windows version, and username.’
  • [T1555] Credentials in Web Browsers – The Chromium_Stealer on the C2 infrastructure harvests credentials stored by browsers and writes the results to a local staging file. ‘Harvest credentials stored by browsers and write the harvested data to a local staging file.’
  • [T1547] Registry Run Keys/Startup Folder – Persistence by modifying HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon and altering the Shell value. ‘modifying the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon and altering the Shell value.’
  • [T1071] Web Protocols – The backdoor communicates with its C2 via WinHTTP to receive and execute commands. ‘Connects to its C2 server via WinHTTP to receive and execute commands.’
  • [T1055] Process Injection – The Phoenix backdoor version 4 performs injection into its own process. ‘injects it into its own process.’

Indicators of Compromise

  • [Domain] C2 domain – screenai[.]online
  • [IP] C2 IP – 159.198.36.115
  • [File Name] Dropped files – Mononoke.exe, sysProcUpdate
  • [File Hash] 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e, 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839
  • [URL] C2 resource – hxxp://159.198.36[.]115:4444/chromium_stealer_user.exe

Source: https://www.group-ib.com/blog/muddywater-espionage/