October 19, 2023 at 12:45PM
Iranian hacking group MuddyWater, also known as APT34 or OilRig, breached a Middle Eastern government network and maintained access for eight months. They used a PowerShell backdoor called PowerExchange to steal passwords and data, and blend in with typical network traffic. They also utilized other tools such as Backdoor.Tokel, Trojan.Dirps, Infostealer.Clipog, Mimikatz, and Plink. The attacks involved reconnaissance, lateral movement, and data harvesting. Despite their toolset leaking in 2019, MuddyWater remains active.
Key Takeaways:
– The MuddyWater hacking group, also known as APT34 or OilRig, breached at least twelve computers belonging to a Middle Eastern government network and maintained access for eight months between February and September 2023.
– MuddyWater is linked to Iran’s Ministry of Intelligence and Security (MOIS) and has been known for launching attacks against the U.S., the Middle East, and Albania.
– The attacks involved stealing passwords and data, as well as installing a PowerShell backdoor called ‘PowerExchange’ that accepted commands via Microsoft Exchange.
– The PowerExchange backdoor was first reported in May 2023 and attributed to APT34. Samples were retrieved from compromised systems in the United Arab Emirates.
– The malware used in the attacks logged into Exchange Servers using provided credentials and monitored incoming emails with a specific subject line pattern, indicating a base64-encoded attachment with commands for execution.
– After executing PowerShell commands, the malware moved the messages to ‘Deleted Items’ to minimize detection.
– The executed command outputs were then emailed back to the threat actors.
– APT34 utilized various other tools, including Backdoor.Tokel, Trojan.Dirps, Infostealer.Clipog, Mimikatz, and Plink.
– The attacks lasted for a total of nine months, beginning on February 1, 2023.
– The initial attack involved a PowerShell script (joper.ps1) running multiple times over the first week.
– Additional compromises and deployments of different malware and tools occurred in subsequent months, including the use of Plink to configure RDP access, executing batch files, deploying Mimikatz, and establishing SSH tunnels.
– The hackers performed Nessus scans for Log4j vulnerabilities in August and compromised more systems.
– The attacks concluded on September 9, 2023, with continued activity on the second web server.
– While Symantec observed malicious activity in at least twelve computers, evidence suggests that backdoors and keyloggers were deployed on many more.
– MuddyWater’s activities involve reconnaissance, lateral movement, and data exfiltration, showcasing their broad capabilities.
– Despite facing a threat to their tools leaked in 2019, MuddyWater remains active, as evidenced by the prolonged and diverse attacks described.