Unmasking MuddyWater's Multiple RMM Software Attacks

Sept. 24, 2024, 2:10 p.m.

Description

MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247500427&idx=1&sn=29a99b3ae418762fdd184f8b82c20d79&chksm=f9c1f182ceb678943a0d6cca3a94f0e7860aca6046e8b7a385ad9c266c7630de225b4bd7dd10&scene=178&cur_album_id=1955835290309230595
https://otx.alienvault.com/pulse/66f2bcb104d56da56023cb58
Tags
2024-09-24
phonyc2
muddyc2go
darkbeatc2
powermud

Date

  • Created: Sept. 24, 2024, 1:20 p.m.
  • Published: Sept. 24, 2024, 1:20 p.m.
  • Modified: Sept. 24, 2024, 2:10 p.m.

Indicators

  • f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376
  • f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393
  • f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311
  • dedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84
  • d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62
  • d550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1
  • b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
  • 9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27
  • 8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f
  • 887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1
  • 7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1
  • 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
  • 70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b
  • 5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd
  • 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
  • 4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb
  • 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
  • 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
  • 39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e
  • f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3
  • ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0
  • cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33
  • bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a
  • 7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f
  • 85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b
  • 4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b
  • 165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd
  • 2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
  • 09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6
  • ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0
  • ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
  • fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1
  • dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5
  • c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4
  • 2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69
  • 638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
  • 14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144
  • a6b1de8184a7e560cea461b0e05d4136d0068b35c12c0889c4036d177e331a83
  • 9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb
  • 9a33655007a4fddf9c434d84fafe205479aaa3f5eaf7425e14beb83e46fa7041
  • 65667d0b1710636d4b2030a25f64d0f960d75ebfc3f5ad92f03f78293b47ed75
  • 28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e
  • 0187db1c61f146d49f74fb7db1dccec1e42ad7d431bffbfcaeec910af1a4bc68
  • 3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f
  • 146.70.149.61
  • 193.109.120.59
  • 51.255.19.178
  • 51.254.25.36
  • 178.32.30.3
Download all indicators here!

Attack Patterns

  • Powermud
  • PhonyC2
  • DarkBeatC2
  • MuddyC2Go
  • MuddyWater
  • T1078.004
  • T1021
  • T1573
  • T1218
  • T1106
  • T1105
  • T1071
  • T1102
  • T1569
  • T1219
  • T1036
  • T1204
  • T1140
  • T1132
  • T1027
  • T1053
  • T1566
  • T1078
  • T1059

Additional Informations

  • Energy
  • Defense
  • Telecommunications
  • Government
  • United States of America