Cybersecurity and law enforcement agencies in the United States and the United Kingdom recently exchanged information on new malware used by the Iranian-backed MuddyWatter hacking gang in cyberattacks on vital infrastructure worldwide. CISA, the Federal Bureau of Investigation (FBI), the US Cyber Command’s Cyber National Mission Force (CNMF), the UK’s National Cyber Security Centre (NCSC-UK), and the National Security Agency released a joint alert today (NSA).
MuddyWater is “targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America,” said the two governments.
PowGoop, Canopy/Starwhale, Mori, POWERSTATS, and other previously undiscovered malware strains are used by this threat organization to implant second-stage malware on infected computers for backdoor access, persistence, and data exfiltration. The US and UK agencies noted a new Python backdoor (Small Sieve) used by MuddyWater operators for perseverance. A PowerShell backdoor was used to encrypt command-and-control (C2) communication channels, among others the malware disclosed recently.
According to the alert, Small Sieve uses unique string and traffic obfuscation algorithms in conjunction with the Telegram Bot application programming interface (API) to offer basic functionality necessary to maintain and expand a foothold in victim infrastructure while avoiding detection. The tasking and beaconing data is obfuscated using a hex byte shifting encoding strategy mixed with an obfuscated Base64 function. Small Sieve’s beacons and taskings are conducted using Telegram API through Hypertext Transfer Protocol Secure (HTTPS).
MuddyWatter (also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros) is a cyber-espionage group operating since at least 2017. It is notorious for focusing its attacks on Middle Eastern targets and updating its malware toolset regularly. Despite its youth, the Iranian-backed threat group is quite active, and it targets telecommunications, government (IT services), and oil sector institutions.
It also targeted government and defense organizations in Central and Southwest Asia, as well as corporate and public organizations in North America, Europe, and Asia [1, 2, 3]. The US Cyber Command (USCYBERCOM) publicly connected MuddyWatter to Iran’s Ministry of Intelligence and Security (MOIS), the country’s top government intelligence organization, in January 2022.
This announcement comes after a similar one published on Wednesday, which linked new malware known as Cyclops Blink to the Russian-backed Sandworm hacking gang. Sandworm operators have been exploiting Cyclops Blink to replace VPNFilter in a new botnet by ensnaring vulnerable WatchGuard Firebox and other Small Office/Home Office (SOHO) network devices since at least June 2019.