MuddyWater's UDPGangster Backdoor

Verticals Targeted: Not specified
Regions Targeted: Turkey, Israel, Azerbaijan
Related Families: Phoenix

Executive Summary

UDPGangster is a UDP-based backdoor linked to the MuddyWater threat actor group, targeting users in Turkey, Israel, and Azerbaijan via phishing emails with macro-enabled Word documents. This malware facilitates remote command execution, file exfiltration, and payload deployment while employing sophisticated anti-analysis measures to evade detection.

Key Takeaways

• UDPGangster uses UDP channels for C2 communication, enabling stealthy operations that bypass traditional network defenses.  
• Campaigns leverage VBA macros in malicious Word documents to drop and execute the payload, with decoy images tailored to regional contexts for added deception.  
• Extensive anti-analysis routines, including VM detection, hardware checks, and sandbox evasion, highlight the malware's focus on persistence and stealth.  
• Shared infrastructure and code similarities connect UDPGangster to MuddyWater's broader espionage efforts in the Middle East.

What is UDPGangster?

FortiGuard Labs detailed a series of campaigns involving UDPGangster, a backdoor tied to the MuddyWater group, which has long conducted espionage operations targeting the Middle East. This malware establishes remote access over UDP, allowing attackers to run commands, steal files, and introduce further tools, all while dodging standard security measures through non-TCP traffic.

The delivery starts with phishing emails mimicking official entities, such as the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs. These messages, composed in formal Turkish, invite recipients to a seminar on presidential elections and attach files like seminer.doc or seminer.zip. Opening the document prompts users to enable content, activating embedded VBA macros. The macros exploit the Document_Open() event to decode Base64 data from a hidden form field, save it as ui.txt in C:\Users\Public, and launch it via CreateProcessA.

A clever distraction involves the SmartToggle() subroutine, which manipulates two images by toggling their AlternativeText between "Front" and "Back" and adjusting ZOrder to swap visibility. This displays a benign decoy image, often mismatched to the email's theme, while hiding the malicious payload.

Once executed, UDPGangster copies itself to %AppData%\RoamingLow\SystemProc.exe for persistence, adds a registry entry under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell, and creates a mutex named xhxhxhxhxhxpp. 

UDPGangster’s anti-analysis arsenal is comprehensive: it detects debuggers, low-core CPUs via GetLogicalProcessorInformation, insufficient RAM with GlobalMemoryStatusEx, and virtual MAC prefixes from vendors like VMware and VirtualBox using GetAdaptersInfo. Additional checks scan WMI classes for virtualization keywords, enumerate services and processes for tools like VBoxService.exe, and probe registries for indicators such as VBox or QEMU. It also hunts for sandbox DLLs via GetModuleHandleA and flags suspicious filenames.

Post-checks, the malware gathers system info including computer name, domain, OS version, and username, then encodes it with an ROR transformation and transmits to the C2 on UDP port 1269. Supported commands include 0x04 for heartbeats, 0x0A for cmd.exe execution, 0x14 for file exfiltration, 0x1E for payload deployment, and 0x63 for C2 updates.

Further probing of TTPs linked these efforts to the MuddyWater threat actor group through mutexes, IPs, and PDB paths. Similar documents targeted Israel and Azerbaijan, with telemetry confirming regional focus. Overlaps with Phoenix Backdoor infrastructure reinforce MuddyWater attribution.

Who is MuddyWater?

MuddyWater, also known as Earth Vetala, Mercury, Static Kitten, Seedworm, TEMP.Zagros, TA450, Boggy Serpens, Cobalt Ulster, and Yellow Nix, is an Iranian state-sponsored advanced persistent threat group focused on cyber espionage. Active since at least 2017, the group operates under the auspices of Iran's Ministry of Intelligence and Security (MOIS), conducting operations to advance national political, economic, and security interests by stealing sensitive intelligence and intellectual property.

MuddyWater employs spear-phishing emails with malicious attachments, such as weaponized PDFs and Microsoft Office documents, to deliver initial payloads like obfuscated PowerShell scripts. These scripts often side-load dynamic link libraries for persistence and deploy backdoors including POWERSTATS, PowGoop, Small Sieve, Canopy, Mori, and the lightweight Phoenix implant. The group exploits known vulnerabilities in unpatched systems, leverages legitimate remote monitoring and management (RMM) tools like SimpleHelp, ScreenConnect, and N-able Advanced Monitoring Agent for C2, and uses tunneling tools such as Chisel for network evasion. Recent evolutions include custom C2 frameworks like DarkBeatC2, MuddyC2Go, and PhonyC2, alongside occasional ransomware deployment for extortion.

Primarily targeting government agencies, defense contractors, energy firms, telecommunications providers, financial institutions, and academic entities, MuddyWater's campaigns concentrate on the Middle East but extend to South Asia, Europe, North Africa, and North America. Affiliated with MOIS, MuddyWater functions as a persistent espionage arm, sharing stolen data with Iranian entities and collaborating with clusters like Storm-1084 for influence operations. Their adaptability and regional focus underscore Iran's growing cyber capabilities amid geopolitical tensions.

IOCs

PolySwarm has multiple samples associated with this activity.

7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53

Click here to view all samples associated with UDPGangster in our PolySwarm portal.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.