MuddyWater | APT Profile

Description

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

Techniques Used (TTPs)

T1566.002 — Spearphishing Link (initial-access)
T1137.001 — Office Template Macros (persistence)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1588.002 — Tool (resource-development)
T1218.005 — Mshta (defense-evasion)
T1047 — Windows Management Instrumentation (execution)
T1003.004 — LSA Secrets (credential-access)
T1566.001 — Spearphishing Attachment (initial-access)
T1559.001 — Component Object Model (execution)
T1059.003 — Windows Command Shell (execution)
T1218.003 — CMSTP (defense-evasion)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1087.002 — Domain Account (discovery)
T1059.007 — JavaScript (execution)
T1583.006 — Web Services (resource-development)
T1059.005 — Visual Basic (execution)
T1016 — System Network Configuration Discovery (discovery)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1559.002 — Dynamic Data Exchange (execution)
T1027.010 — Command Obfuscation (defense-evasion)
T1027.004 — Compile After Delivery (defense-evasion)
T1518.001 — Security Software Discovery (discovery)
T1074.001 — Local Data Staging (collection)
T1113 — Screen Capture (collection)
T1071.001 — Web Protocols (command-and-control)
T1518 — Software Discovery (discovery)
T1083 — File and Directory Discovery (discovery)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1573.001 — Symmetric Cryptography (command-and-control)
T1555.003 — Credentials from Web Browsers (credential-access)
T1560.001 — Archive via Utility (collection)
T1059.006 — Python (execution)
T1049 — System Network Connections Discovery (discovery)
T1082 — System Information Discovery (discovery)
T1555 — Credentials from Password Stores (credential-access)
T1057 — Process Discovery (discovery)
T1132.001 — Standard Encoding (command-and-control)
T1104 — Multi-Stage Channels (command-and-control)
T1204.001 — Malicious Link (execution)
T1027.003 — Steganography (defense-evasion)
T1003.001 — LSASS Memory (credential-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1090.002 — External Proxy (command-and-control)
T1204.002 — Malicious File (execution)
T1033 — System Owner/User Discovery (discovery)
T1219 — Remote Access Tools (command-and-control)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1059.001 — PowerShell (execution)
T1102.002 — Bidirectional Communication (command-and-control)
T1218.011 — Rundll32 (defense-evasion)
T1552.001 — Credentials In Files (credential-access)
T1190 — Exploit Public-Facing Application (initial-access)
T1210 — Exploitation of Remote Services (lateral-movement)
T1203 — Exploitation for Client Execution (execution)
T1003.005 — Cached Domain Credentials (credential-access)

Total TTPs: 58

Malware & Tools

Malware: Mori, POWERSTATS, PowGoop, SHARPSTATS, STARWHALE, Small Sieve

Tools: ConnectWise, CrackMapExec, Empire, Koadic, LaZagne, Mimikatz, Out1, PowerSploit, RemoteUtilities

← Return to Home ← Back to APT Search