Back

Unmasking MuddyWater's Multiple RMM Software Attacks

Sept. 24, 2024, 2:10 p.m.

Tags

2024-09-24
phonyc2
muddyc2go
darkbeatc2
powermud

External References

https://mp.weixin.qq.com/

https://otx.alienvault.com/

Description

MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools.

Date

Published Created Modified
Sept. 24, 2024, 1:20 p.m. Sept. 24, 2024, 1:20 p.m. Sept. 24, 2024, 2:10 p.m.

Indicators

f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376

f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393

f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311

dedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84

d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62

d550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1

b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf

9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27

8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f

887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1

7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1

77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1

70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b

5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd

5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b

4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb

3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b

31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535

39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e

f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3

ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0

cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33

bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a

7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f

85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b

4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b

165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd

2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b

09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6

ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0

ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909

fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1

dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5

c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4

2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69

638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2

14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144

a6b1de8184a7e560cea461b0e05d4136d0068b35c12c0889c4036d177e331a83

9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb

9a33655007a4fddf9c434d84fafe205479aaa3f5eaf7425e14beb83e46fa7041

65667d0b1710636d4b2030a25f64d0f960d75ebfc3f5ad92f03f78293b47ed75

28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e

0187db1c61f146d49f74fb7db1dccec1e42ad7d431bffbfcaeec910af1a4bc68

3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f

146.70.149.61

193.109.120.59

51.255.19.178

51.254.25.36

178.32.30.3

Attack Patterns

Powermud

PhonyC2

DarkBeatC2

MuddyC2Go

MuddyWater

T1078.004

T1021

T1573

T1218

T1106

T1105

T1071

T1102

T1569

T1219

T1036

T1204

T1140

T1132

T1027

T1053

T1566

T1078

T1059

Additional Informations

Energy

Defense

Telecommunications

Government

United States of America