MuddyWater, a notorious threat actor group linked to the Iranian intelligence service, has been operating a new malware campaign that targeted several Western and Middle Eastern entities. The malware, dubbed “MuddyRot,” is a backdoor implant developed in C with a wide range of capabilities and was used primarily to attack various countries in the Middle East, such as Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel.
MuddyRot Malware
Researchers from Sekoia observed that the new MuddyRot malware is distributed through malicious PDF files and relies on public exploits to compromise internet-exposed servers, such as Exchange or SharePoint servers, moving laterally within the entire network after successful compromise.
After this stage, the threat actors sent spear phishing emails from compromised email accounts to bypass security measures and increase the appearance of legitimacy in the recipient’s eyes.
MuddyRot is a sophisticated malware that uses a combination of obfuscation and encryption to evade detection from security tools. Upon execution, the malware de-obfuscates strings, loads necessary functions, and creates a ‘mutex’ (lock-in program that prevents simultaneous access from other processes) to establish exclusive control over the program. It also uses dynamic import loading to reduce the potential digital footprint.
The malware establishes persistence on the infected host by creating a scheduled task and copying itself to a system directory. It then communicates with its command and control (C2) server over a raw TCP socket.
The MuddyRot malware supports various commands, including file upload and download, reverse shell, and process kill. The reverse shell capability allows the operator to connect to the victim host and execute commands remotely, capturing the results in real-time.
The malware’s C2 communication is obfuscated, using a fixed subtraction value to decode the incoming inputs and add three bytes to the output. The developer of this backdoor added the “terminate” command to stop the reverse shell. The MuddyRot backdoor implant is capable of executing the following commands:
These commands are communicated with C2 servers over the TCP port 443, along with further obfuscation to avoid detection.
Shifting Tactics
The MuddyWater group altered its infection strategy from relying on off-the-shelf software remote monitoring tools such as Atera and SimpleHelp to the custom-built MuddyRot implant. While the exact reasons for this switch are unknown, the researchers speculate that the change could be due to the the increased scrutiny of these tools by security vendors, with the attackers possibly running into difficulties during deployment of the Atera tool on targets. These difficulties may have prompted the group to switch to something more custom.
The researchers note the departure in the MuddyWater’s group’s recent campaigns from their traditional infection chain to the use of well-known exploits and distribution of spear phishing emails with PDF files embedded with links to load the MuddyRot validator. This new tactic allows the malware to evade detection and increases its chances of successful infection.
The researchers have shared potential indicators of compromise (IOCs) over GitHub to protect against MuddyRot’s deployment. Other cybersecurity firms such as Check Point and ClearSky recently conducted their own investigations into the new malware campaign from the Iranian threat actor.