S1035 Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.12
Security researchers have also noted Small Sieve‘s use by UNC3313, which may be associated with MuddyWater.3
| Item | Value |
|---|---|
| ID | S1035 |
| Associated Names | GRAMDOOR |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 August 2022 |
| Last Modified | 14 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| GRAMDOOR | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Small Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift for persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Small Sieve can use cmd.exe to execute commands on a victim’s system.2 |
| enterprise | T1059.006 | Python | Small Sieve can use Python scripts to execute commands.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.12 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.1 |
| enterprise | T1480 | Execution Guardrails | Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.2 |
| enterprise | T1105 | Ingress Tool Transfer | Small Sieve has the ability to download files.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Small Sieve can use variations of Microsoft and Outlook spellings, such as “Microsift”, in its file names to avoid detection.2 |
| enterprise | T1027 | Obfuscated Files or Information | Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.2 |
| enterprise | T1016 | System Network Configuration Discovery | Small Sieve can obtain the IP address of a victim host.2 |
| enterprise | T1033 | System Owner/User Discovery | Small Sieve can obtain the id of a logged in user.2 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater | 12 |
References
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩↩↩↩↩
-
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. ↩↩