Resumen
Investigadores identificaron un set de intrusión de MuddyWater (Static Kitten) que combinaba múltiples marcos C2 personalizados con la explotación oportunista de numerosas vulnerabilidades expuestas a Internet y ataques de fuerza bruta de credenciales a gran escala. Los operadores encadenaron herramientas de reconocimiento, acceso inicial y robo de datos para comprometer objetivos en Medio Oriente, Europa y Estados Unidos.
Investigación
Los investigadores incautaron infraestructura expuesta de un VPS alojado en Países Bajos y extrajeron binarios para tres servidores C2 diseñados a medida: KeyC2, PersianC2, y ArenaC2. También recuperaron herramientas de soporte, incluyendo cargadores basados en PowerShell y cargas útiles de Node.js utilizadas para la fase de preparación y ejecución. La actividad incluyó un escaneo amplio de CVEs de cara al público seguido de su explotación, e incorporó contratos inteligentes de blockchain como un mecanismo para resolver o actualizar dinámicamente los endpoints C2.
Mitigación
Priorice la remediación de los CVEs referenciados y reduzca la superficie de ataque fortaleciendo y limitando la exposición de los servicios de cara al público. Bloquee o restrinja severamente el tráfico UDP saliente desconocido en el puerto 1269, y monitoree los artefactos de ejecución vinculados a los binarios C2 personalizados y sus patrones de comando distintivos. Aplique el principio de privilegio mínimo para cuentas de VPN y administrativas en dispositivos de red, y aumente la cobertura de detección para comportamientos anómalos de PowerShell y sesiones cifradas salientes hacia espacios de IP no familiares.
Respuesta
Si se observan indicadores, aísle los sistemas impactados, preserve artefactos de memoria y disco, y bloquee inmediatamente los dominios/IPs identificados de C2. Realice un análisis forense de cargadores recuperados y scripts de Node.js para delimitar la ejecución y persistencia. Aplique parches a todas las vulnerabilidades explotadas y rote cualquier credencial que pueda haber sido expuesta a través de fuerza bruta o robo.
<div class="wp-block-socprime-category-attack-flow attack-flow-class" data-title="Attack Flow" data-attack-flow="graph TB
%% Class definitions
classDef action fill:#99ccff
classDef tool fill:#ffcc99
classDef malware fill:#ccffcc
classDef c2 fill:#ffccff
%% Step 1 – Active Scanning: Vulnerability Scanning
step1["<b>Action</b> – <b>T1595.002 Active Scanning: Vulnerability Scanning</b><br/>Tool: Nuclei<br/>Description: Mass‑scan public services for exploitable CVEs such as FortiOS CVE‑2024‑55591 and Ivanti CVE‑2026‑1281."]
class step1 action
tool_nuclei["<b>Tool</b> – <b>Name</b>: Nuclei<br/><b>Description</b>: High‑speed vulnerability scanner used for large‑scale internet probing."]
class tool_nuclei tool
step1 –>|uses| tool_nuclei
step1 –>|leads_to| step2
%% Step 2 – Gather Victim Network Information: DNS
step2["<b>Action</b> – <b>T1590.002 Gather Victim Network Information: DNS</b><br/>Tools: subfinder, Sudomy, OneForAll<br/>Description: Enumerate subdomains and DNS records for targets such as clearview.ai and jewishagency.org."]
class step2 action
tool_subfinder["<b>Tool</b> – <b>Name</b>: subfinder<br/><b>Description</b>: Fast passive subdomain discovery tool."]
class tool_subfinder tool
step2 –>|uses| tool_subfinder
step2 –>|leads_to| step3
%% Step 3 – Active Scanning: Wordlist Scanning
step3["<b>Action</b> – <b>T1595.003 Active Scanning: Wordlist Scanning</b><br/>Tool: ffuf<br/>Description: Brute‑force web directories with a medium‑size wordlist to discover hidden resources."]
class step3 action
tool_ffuf["<b>Tool</b> – <b>Name</b>: ffuf<br/><b>Description</b>: Fast web‑fuzzer for directory and file discovery."]
class tool_ffuf tool
step3 –>|uses| tool_ffuf
step3 –>|leads_to| step4
%% Step 4 – Search Open Technical Databases: Scan Databases
step4["<b>Action</b> – <b>T1596.005 Search Open Technical Databases: Scan Databases</b><br/>Tool: Shodan CLI<br/>Description: Query Shodan for vulnerable Ivanti devices using service signatures and favicon hashes."]
class step4 action
tool_shodan["<b>Tool</b> – <b>Name</b>: Shodan CLI<br/><b>Description</b>: Command‑line interface to the Shodan internet‑exposure search engine."]
class tool_shodan tool
step4 –>|uses| tool_shodan
step4 –>|leads_to| step5
%% Step 5 – Brute Force: Password Spraying
step5["<b>Action</b> – <b>T1110.003 Brute Force: Password Spraying</b><br/>Tool: Python owa.py script<br/>Description: Spray common passwords against Outlook Web Access and SMTP services of Israeli, Jordanian and UAE organisations."]
class step5 action
tool_owa["<b>Tool</b> – <b>Name</b>: owa.py<br/><b>Description</b>: Python script that performs password‑spraying attacks against OWA endpoints."]
class tool_owa tool
step5 –>|uses| tool_owa
step5 –>|leads_to| step6
%% Step 6 – Brute Force: Password Guessing
step6["<b>Action</b> – <b>T1110.001 Brute Force: Password Guessing</b><br/>Tool: Patator<br/>Description: Attempt SMTP logins with credential lists to obtain valid accounts."]
class step6 action
tool_patator["<b>Tool</b> – <b>Name</b>: Patator<br/><b>Description</b>: Multi‑protocol brute‑forcing tool supporting SMTP, SSH, HTTP, etc."]
class tool_patator tool
step6 –>|uses| tool_patator
step6 –>|leads_to| step7
%% Step 7 – Exploit Public‑Facing Application
step7["<b>Action</b> – <b>T1190 Exploit Public‑Facing Application</b><br/>Technique: Novel SQL injection flaws in BaSalam and a Postgres development platform.<br/>Description: Exploit crafted SQLi payloads to obtain initial foothold on web servers."]
class step7 action
step7 –>|leads_to| step8
%% Step 8 – Exploitation of Remote Services
step8["<b>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Tool: Neo‑reGeorg ASPX web‑shell<br/>Description: Upload web‑shell to compromised Exchange server for persistence and remote command execution."]
class step8 action
malware_neoregeorg["<b>Malware</b> – <b>Name</b>: Neo‑reGeorg ASPX web‑shell<br/><b>Description</b>: ASPX web‑shell providing remote command execution and tunneling capabilities."]
class malware_neoregeorg malware
step8 –>|uploads| malware_neoregeorg
step8 –>|leads_to| step9
%% Step 9 – Boot or Logon Autostart Execution: Registry Run Keys
step9["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys</b><br/>Malware: Node.js payload VfZUSQi6oerKau.js<br/>Description: Create HKCU\Software\Microsoft\Windows\CurrentVersion\Run key for persistence."]
class step9 action
malware_nodejs["<b>Malware</b> – <b>Name</b>: VfZUSQi6oerKau.js<br/><b>Description</b>: Obfuscated Node.js payload that writes a Run‑key for persistence."]
class malware_nodejs malware
step9 –>|creates| malware_nodejs
step9 –>|leads_to| step10
%% Step 10 – Server Software Component: Web Shell
step10["<b>Action</b> – <b>T1505.003 Server Software Component: Web Shell</b><br/>Component: Neo‑reGeorg web‑shell (nfud.aspx)<br/>Description: Enables remote command execution on compromised server."]
class step10 action
malware_nfud["<b>Malware</b> – <b>Name</b>: nfud.aspx<br/><b>Description</b>: ASPX web‑shell variant used for persistent access."]
class malware_nfud malware
step10 –>|implements| malware_nfud
step10 –>|leads_to| step11
%% Step 11 – Create Account: Local Account
step11["<b>Action</b> – <b>T1136.001 Create Account: Local Account</b><br/>Result: Privileged admin account "FortiSetup" with super_admin profile.<br/>Description: Modified FortiGate exploit scripts to add a persistent local admin account."]
class step11 action
step11 –>|leads_to| step12
%% Step 12 – Obfuscated Files or Information
step12["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Malware: Node.js payloads<br/>Description: Payloads heavily obfuscated and AES‑CBC encrypted before being written to disk."]
class step12 action
malware_obf["<b>Malware</b> – <b>Name</b>: Encrypted Node.js payloads<br/><b>Description</b>: AES‑CBC encrypted blobs stored on the victim file system."]
class malware_obf malware
step12 –>|produces| malware_obf
step12 –>|leads_to| step13
%% Step 13 – Deobfuscate/Decode Files or Information
step13["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Tool: PowerShell loader reset.ps1<br/>Description: Decrypts AES‑CBC encrypted blobs at runtime."]
class step13 action
tool_psloader["<b>Tool</b> – <b>Name</b>: reset.ps1<br/><b>Description</b>: PowerShell script that decrypts and loads malicious payloads in memory."]
class tool_psloader tool
step13 –>|uses| tool_psloader
step13 –>|leads_to| step14
%% Step 14 – Reflective Code Loading
step14["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Technique: PowerShell loader loads decrypted Node.js components reflectively in memory."]
class step14 action
step14 –>|leads_to| step15
%% Step 15 – Application Layer Protocol: Web Protocols
step15["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>C2: PersianC2<br/>Description: HTTP polling using JSON API endpoints to retrieve commands."]
class step15 action
c2_persian["<b>C2</b> – <b>Name</b>: PersianC2<br/><b>Description</b>: HTTP‑based command and control using JSON polling."]
class c2_persian c2
step15 –>|communicates_via| c2_persian
step15 –>|leads_to| step16
%% Step 16 – Non‑Application Layer Protocol
step16["<b>Action</b> – <b>T1095 Non‑Application Layer Protocol</b><br/>C2: KeyC2<br/>Description: Custom binary protocol over UDP port 1269 for beaconing and command execution."]
class step16 action
c2_key["<b>C2</b> – <b>Name</b>: KeyC2<br/><b>Description</b>: UDP‑based covert channel using proprietary binary format."]
class c2_key c2
step16 –>|communicates_via| c2_key
step16 –>|leads_to| step17
%% Step 17 – Web Service: Dead Drop Resolver
step17["<b>Action</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Technique: Query Ethereum smart contracts to resolve C2 server IP addresses dynamically."]
class step17 action
step17 –>|leads_to| step18
%% Step 18 – Web Service: Bidirectional Communication
step18["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>C2: ArenaC2 (FastAPI/uvicorn)<br/>Description: HTTP POST interface encrypting traffic with AES‑256‑CBC."]
class step18 action
c2_arena["<b>C2</b> – <b>Name</b>: ArenaC2<br/><b>Description</b>: FastAPI server providing encrypted bidirectional C2 channel."]
class c2_arena c2
step18 –>|uses| c2_arena
step18 –>|leads_to| step19
%% Step 19 – Web Service: One‑Way Communication
step19["<b>Action</b> – <b>T1102.003 Web Service: One‑Way Communication</b><br/>Component: Minimal Flask server (web.py) on port 10443 accepting file uploads for exfiltration."]
class step19 action
malware_flask["<b>Malware</b> – <b>Name</b>: web.py<br/><b>Description</b>: Simple Flask app acting as a dead‑drop for stolen data."]
class malware_flask malware
step19 –>|implements| malware_flask
step19 –>|leads_to| step20
%% Step 20 – Protocol Tunneling
step20["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Tool: Neo‑reGeorg acting as SOCKS proxy (resocks, revsocks) to tunnel into internal networks."]
class step20 action
step20 –>|leads_to| step21
%% Step 21 – Proxy: External Proxy
step21["<b>Action</b> – <b>T1090.002 Proxy: External Proxy</b><br/>Listeners: resocks and revsocks creating external SOCKS proxies for lateral movement."]
class step21 action
step21 –>|leads_to| step22
%% Step 22 – Encrypted Channel: Symmetric Cryptography
step22["<b>Action</b> – <b>T1573.001 Encrypted Channel: Symmetric Cryptography</b><br/>Technique: ArenaC2 encrypts all C2 traffic with AES‑256‑CBC using a hard‑coded key."]
class step22 action
step22 –>|leads_to| step23
%% Step 23 – Dynamic Resolution
step23["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Method: Smart‑contract calls (getString) on Ethereum return active C2 IP list (e.g., 185.236.25.119)."]
class step23 action
step23 –>|leads_to| step24
%% Step 24 – Exfiltration to Cloud Storage
step24["<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage</b><br/>Tool: rclone<br/>Destination: Wasabi S3, put.io<br/>Description: Upload stolen files to cloud storage accounts."]
class step24 action
tool_rclone["<b>Tool</b> – <b>Name</b>: rclone<br/><b>Description</b>: Command‑line program for syncing files to cloud storage services."]
class tool_rclone tool
step24 –>|uses| tool_rclone
step24 –>|leads_to| step25
%% Step 25 – Exfiltration Over C2 Channel
step25["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Capability: KeyC2 and PersianC2 support file download commands to retrieve data from victims."]
class step25 action
step25 –>|leads_to| step26
%% Step 26 – Exfiltration Over Alternative Protocol
step26["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b>
Flujo de Ataque