Skip to content

G0069 MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).3 Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.51112946

Item Value
ID G0069
Associated Names Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros
Version 4.1
Created 18 April 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Earth Vetala 8
MERCURY 7
Static Kitten 78
Seedworm 1178
TEMP.Zagros 1078

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control MuddyWater uses various techniques to bypass UAC.1
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account MuddyWater has used cmd.exe net user /domain to enumerate domain users.8
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services MuddyWater has used file sharing services including OneHub to distribute tools.78
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MuddyWater has used HTTP for C2 communications.28
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.11
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.101312986
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell MuddyWater has used PowerShell for execution.101413111129846
enterprise T1059.003 Windows Command Shell MuddyWater has used a custom tool for creating reverse shells.11
enterprise T1059.005 Visual Basic MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.1014131112986
enterprise T1059.006 Python MuddyWater has used developed tools in Python including Out1.8
enterprise T1059.007 JavaScript MuddyWater has used JavaScript files to execute its POWERSTATS payload.1104
enterprise T1555 Credentials from Password Stores MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.5118
enterprise T1555.003 Credentials from Web Browsers MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.118
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding MuddyWater has used tools to encode C2 communications including Base64 encoding.28
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging MuddyWater has stored a decoy PDF file within a victim’s %temp% folder.6
enterprise T1140 Deobfuscate/Decode Files or Information MuddyWater decoded base64-encoded PowerShell commands using a VBS file.101416
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography MuddyWater has used AES to encrypt C2 responses.6
enterprise T1041 Exfiltration Over C2 Channel MuddyWater has used C2 infrastructure to receive exfiltrated data.9
enterprise T1190 Exploit Public-Facing Application MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).4
enterprise T1203 Exploitation for Client Execution MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.2
enterprise T1210 Exploitation of Remote Services MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).4
enterprise T1083 File and Directory Discovery MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords “Kasper,” “Panda,” or “ESET.”13
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses MuddyWater has specifically targeted government agency employees with spearphishing e-mails.7
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools MuddyWater can disable the system’s local proxy settings.8
enterprise T1105 Ingress Tool Transfer MuddyWater has used malware that can upload additional files to the victim’s machine.13198
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.1324
enterprise T1559.002 Dynamic Data Exchange MuddyWater has used malware that can execute PowerShell scripts via DDE.13
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.10127
enterprise T1104 Multi-Stage Channels MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.1
enterprise T1027.004 Compile After Delivery MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.1
enterprise T1027.010 Command Obfuscation MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.515 The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.5101312286
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment.7
enterprise T1137 Office Application Startup -
enterprise T1137.001 Office Template Macros MuddyWater has used a Word Template, Normal.dotm, for persistence.9
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.5118
enterprise T1003.004 LSA Secrets MuddyWater has performed credential dumping with LaZagne.511
enterprise T1003.005 Cached Domain Credentials MuddyWater has performed credential dumping with LaZagne.511
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.51013278 4
enterprise T1566.002 Spearphishing Link MuddyWater has sent targeted spearphishing e-mails with malicious links.78
enterprise T1057 Process Discovery MuddyWater has used malware to obtain a list of running processes on the system.132
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.11 MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).98
enterprise T1219 Remote Access Software MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.87
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task MuddyWater has used scheduled tasks to establish persistence.9
enterprise T1113 Screen Capture MuddyWater has used malware that can capture screenshots of the victim’s machine.13
enterprise T1518 Software Discovery MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.8
enterprise T1518.001 Security Software Discovery MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.13
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.003 CMSTP MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.10
enterprise T1218.005 Mshta MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.1013
enterprise T1218.011 Rundll32 MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.13
enterprise T1082 System Information Discovery MuddyWater has used malware that can collect the victim’s OS version and machine name.1312986
enterprise T1016 System Network Configuration Discovery MuddyWater has used malware to collect the victim’s IP address and domain name.13
enterprise T1049 System Network Connections Discovery MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.8
enterprise T1033 System Owner/User Discovery MuddyWater has used malware that can collect the victim’s username.138
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files MuddyWater has run a tool that steals passwords saved in victim email.11
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link MuddyWater has distributed URLs in phishing e-mails that link to lure documents.78
enterprise T1204.002 Malicious File MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.5101312297846
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication MuddyWater has used web services including OneHub to distribute remote access tools.7
enterprise T1047 Windows Management Instrumentation MuddyWater has used malware that leveraged WMI for execution and querying host information.131124

Software

ID Name References Techniques
S0591 ConnectWise 78 PowerShell:Command and Scripting Interpreter Screen Capture Video Capture
S0488 CrackMapExec 1611 Domain Account:Account Discovery Brute Force Password Guessing:Brute Force Password Spraying:Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Modify Registry Network Share Discovery LSA Secrets:OS Credential Dumping NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0363 Empire 16 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0250 Koadic 916 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Service Discovery Network Share Discovery NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Regsvr32:System Binary Proxy Execution Rundll32:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services Windows Management Instrumentation
S0349 LaZagne 1116 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz 516 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S1047 Mori 4 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Standard Encoding:Data Encoding Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Modify Registry Query Registry Regsvr32:System Binary Proxy Execution
S0594 Out1 8 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Email Collection:Email Collection Obfuscated Files or Information
S0194 PowerSploit 16 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0223 POWERSTATS 5101112 Local Account:Account Discovery JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Dynamic Data Exchange:Inter-Process Communication Masquerade Task or Service:Masquerading Command Obfuscation:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Process Discovery External Proxy:Proxy Scheduled Task:Scheduled Task/Job Scheduled Transfer Screen Capture Security Software Discovery:Software Discovery Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Windows Management Instrumentation
S1046 PowGoop 4 Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Encrypted Channel DLL Side-Loading:Hijack Execution Flow Match Legitimate Name or Location:Masquerading Masquerading
S0592 RemoteUtilities 8 File and Directory Discovery Ingress Tool Transfer Screen Capture Msiexec:System Binary Proxy Execution
S0450 SHARPSTATS 16 PowerShell:Command and Scripting Interpreter Ingress Tool Transfer Command Obfuscation:Obfuscated Files or Information System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S1035 Small Sieve 417 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Non-Standard Encoding:Data Encoding Asymmetric Cryptography:Encrypted Channel Execution Guardrails Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information System Network Configuration Discovery System Owner/User Discovery Bidirectional Communication:Web Service
S1037 STARWHALE 4 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel Obfuscated Files or Information System Information Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution

References

  1. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  2. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. 

  3. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  4. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  5. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. 

  6. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  7. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  8. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  9. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. 

  10. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  11. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  12. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  13. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  14. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. 

  15. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. 

  16. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  17. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.