The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Muddy Water Uses SloughRAT in Recent Campaigns

Mar 17, 2022 1:21:56 PM / by PolySwarm Tech Team

MuddyWater_Blog

Background

Iranian threat actor group Muddy Water has been very active in the last few months. In February, CISA issued an
alert warning that the group was conducting a campaign targeting global government and commercial networks. Earlier this month, Cisco’s Talos Intelligence published a blog post on Muddy Water activity targeting Turkey and other countries.

Who is Muddy Water?

Muddy Water, also known as Static Kitten, is an Iranian threat actor group active since at least 2017. The group has historically targeted entities in the Middle East but has been known to target other regions as well. Muddy Water primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco assessed Muddy Water is a conglomerate of multiple teams operating independently. Muddy Water TTPs include social engineering, spearphishing, maldocs, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others. Cisco calls them “extremely motivated and persistent.”

What is SloughRAT?

Cisco said a Muddy Water campaign in January targeted Turkish entities using maldocs and executable-based infection chains. In a more recently observed campaign, Cisco saw Muddy Water targeting Turkey and countries in the Arabian peninsula with maldocs delivering a Windows script file-based RAT, dubbed SloughRAT. SloughRAT is referred to as Canopy in the above referenced CISA alert.

According to Cisco, SloughRAT script uses multilayer obfuscation to hide its true extensions and needs a function name as an argument to properly execute. SloughRAT gathers system information and registers the system with the C2, which is hardcoded into the implant. SloughRAT’s capabilities include information gathering and receiving commands from the C2. In some attacks, Muddy Water used SloughRAT to deploy Lingolo, an open-source reverse tunneling tool. Cisco also discovered two more script based implants used in these campaigns: one written in JavaScript and one written in Visual Basic.

IOCs

PolySwarm has multiple samples of malware associated with recent Muddy Water activity. Below is a selection of IOCs of those samples.

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c

026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141

7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7

6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4

D77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0

Ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418

C2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e

F10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0

a500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1


You can use the following CLI command to search for all Muddy Water samples in our portal:

$ polyswarm link list -f MuddyWater


Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Espionage, Iran, Muddy Water, Static Kitten, SloughRAT, Canopy

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts