Résumé
Des chercheurs ont identifié un ensemble d’intrusion MuddyWater (Static Kitten) qui combinait plusieurs cadres de C2 sur mesure avec une exploitation opportuniste de nombreuses failles exposées à Internet et une pulvérisation de mots de passe à haut volume. Les opérateurs ont enchaîné des outils de reconnaissance, d’accès initial et de vol de données pour compromettre des cibles au Moyen-Orient, en Europe et aux États-Unis.
Investigation
Les enquêteurs ont saisi des infrastructures exposées depuis un VPS hébergé aux Pays-Bas et ont extrait des binaires pour trois serveurs C2 construits à cet effet : KeyC2, PersianC2, et ArenaC2. Ils ont également récupéré des outils de support, y compris des chargeurs basés sur PowerShell et des charges utiles Node.js utilisées pour la mise en scène et l’exécution. L’activité comprenait une large analyse de failles CVE exposées, suivie d’exploitation, et elle intégrait des contrats intelligents blockchain comme mécanisme pour résoudre ou mettre à jour dynamiquement les points d’extrémité C2.
Mitigation
Priorisez la correction des CVE référencés et réduisez la surface d’attaque en renforçant et en limitant l’exposition des services exposés au public. Bloquez ou restreignez strictement les trafics UDP sortants inconnus sur le port 1269 et surveillez les artefacts d’exécution liés aux binaires C2 personnalisés et à leurs modèles de commande distinctifs. Appliquez le principe du moindre privilège pour les comptes VPN et administratifs sur les appareils réseau, et augmentez la couverture de détection pour les comportements PowerShell anormaux et les sessions sortantes chiffrées vers des adresses IP inhabituelles.
Réponse
Si des indicateurs sont observés, isolez les systèmes impactés, préservez les artefacts mémoire et disque, et bloquez immédiatement les domaines/IP C2 identifiés. Effectuez un triage médico-légal des chargeurs récupérés et des scripts Node.js pour délimiter l’exécution et la persistance. Corrigez toutes les vulnérabilités exploitées et changez les identifiants qui auraient pu être exposés par pulvérisation ou vol.
<div class="wp-block-socprime-category-attack-flow attack-flow-class" data-title="Attack Flow" data-attack-flow="graph TB
%% Class definitions
classDef action fill:#99ccff
classDef tool fill:#ffcc99
classDef malware fill:#ccffcc
classDef c2 fill:#ffccff
%% Step 1 – Active Scanning: Vulnerability Scanning
step1["<b>Action</b> – <b>T1595.002 Active Scanning: Vulnerability Scanning</b><br/>Tool: Nuclei<br/>Description: Mass‑scan public services for exploitable CVEs such as FortiOS CVE‑2024‑55591 and Ivanti CVE‑2026‑1281."]
class step1 action
tool_nuclei["<b>Tool</b> – <b>Name</b>: Nuclei<br/><b>Description</b>: High‑speed vulnerability scanner used for large‑scale internet probing."]
class tool_nuclei tool
step1 –>|uses| tool_nuclei
step1 –>|leads_to| step2
%% Step 2 – Gather Victim Network Information: DNS
step2["<b>Action</b> – <b>T1590.002 Gather Victim Network Information: DNS</b><br/>Tools: subfinder, Sudomy, OneForAll<br/>Description: Enumerate subdomains and DNS records for targets such as clearview.ai and jewishagency.org."]
class step2 action
tool_subfinder["<b>Tool</b> – <b>Name</b>: subfinder<br/><b>Description</b>: Fast passive subdomain discovery tool."]
class tool_subfinder tool
step2 –>|uses| tool_subfinder
step2 –>|leads_to| step3
%% Step 3 – Active Scanning: Wordlist Scanning
step3["<b>Action</b> – <b>T1595.003 Active Scanning: Wordlist Scanning</b><br/>Tool: ffuf<br/>Description: Brute‑force web directories with a medium‑size wordlist to discover hidden resources."]
class step3 action
tool_ffuf["<b>Tool</b> – <b>Name</b>: ffuf<br/><b>Description</b>: Fast web‑fuzzer for directory and file discovery."]
class tool_ffuf tool
step3 –>|uses| tool_ffuf
step3 –>|leads_to| step4
%% Step 4 – Search Open Technical Databases: Scan Databases
step4["<b>Action</b> – <b>T1596.005 Search Open Technical Databases: Scan Databases</b><br/>Tool: Shodan CLI<br/>Description: Query Shodan for vulnerable Ivanti devices using service signatures and favicon hashes."]
class step4 action
tool_shodan["<b>Tool</b> – <b>Name</b>: Shodan CLI<br/><b>Description</b>: Command‑line interface to the Shodan internet‑exposure search engine."]
class tool_shodan tool
step4 –>|uses| tool_shodan
step4 –>|leads_to| step5
%% Step 5 – Brute Force: Password Spraying
step5["<b>Action</b> – <b>T1110.003 Brute Force: Password Spraying</b><br/>Tool: Python owa.py script<br/>Description: Spray common passwords against Outlook Web Access and SMTP services of Israeli, Jordanian and UAE organisations."]
class step5 action
tool_owa["<b>Tool</b> – <b>Name</b>: owa.py<br/><b>Description</b>: Python script that performs password‑spraying attacks against OWA endpoints."]
class tool_owa tool
step5 –>|uses| tool_owa
step5 –>|leads_to| step6
%% Step 6 – Brute Force: Password Guessing
step6["<b>Action</b> – <b>T1110.001 Brute Force: Password Guessing</b><br/>Tool: Patator<br/>Description: Attempt SMTP logins with credential lists to obtain valid accounts."]
class step6 action
tool_patator["<b>Tool</b> – <b>Name</b>: Patator<br/><b>Description</b>: Multi‑protocol brute‑forcing tool supporting SMTP, SSH, HTTP, etc."]
class tool_patator tool
step6 –>|uses| tool_patator
step6 –>|leads_to| step7
%% Step 7 – Exploit Public‑Facing Application
step7["<b>Action</b> – <b>T1190 Exploit Public‑Facing Application</b><br/>Technique: Novel SQL injection flaws in BaSalam and a Postgres development platform.<br/>Description: Exploit crafted SQLi payloads to obtain initial foothold on web servers."]
class step7 action
step7 –>|leads_to| step8
%% Step 8 – Exploitation of Remote Services
step8["<b>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Tool: Neo‑reGeorg ASPX web‑shell<br/>Description: Upload web‑shell to compromised Exchange server for persistence and remote command execution."]
class step8 action
malware_neoregeorg["<b>Malware</b> – <b>Name</b>: Neo‑reGeorg ASPX web‑shell<br/><b>Description</b>: ASPX web‑shell providing remote command execution and tunneling capabilities."]
class malware_neoregeorg malware
step8 –>|uploads| malware_neoregeorg
step8 –>|leads_to| step9
%% Step 9 – Boot or Logon Autostart Execution: Registry Run Keys
step9["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys</b><br/>Malware: Node.js payload VfZUSQi6oerKau.js<br/>Description: Create HKCU\Software\Microsoft\Windows\CurrentVersion\Run key for persistence."]
class step9 action
malware_nodejs["<b>Malware</b> – <b>Name</b>: VfZUSQi6oerKau.js<br/><b>Description</b>: Obfuscated Node.js payload that writes a Run‑key for persistence."]
class malware_nodejs malware
step9 –>|creates| malware_nodejs
step9 –>|leads_to| step10
%% Step 10 – Server Software Component: Web Shell
step10["<b>Action</b> – <b>T1505.003 Server Software Component: Web Shell</b><br/>Component: Neo‑reGeorg web‑shell (nfud.aspx)<br/>Description: Enables remote command execution on compromised server."]
class step10 action
malware_nfud["<b>Malware</b> – <b>Name</b>: nfud.aspx<br/><b>Description</b>: ASPX web‑shell variant used for persistent access."]
class malware_nfud malware
step10 –>|implements| malware_nfud
step10 –>|leads_to| step11
%% Step 11 – Create Account: Local Account
step11["<b>Action</b> – <b>T1136.001 Create Account: Local Account</b><br/>Result: Privileged admin account "FortiSetup" with super_admin profile.<br/>Description: Modified FortiGate exploit scripts to add a persistent local admin account."]
class step11 action
step11 –>|leads_to| step12
%% Step 12 – Obfuscated Files or Information
step12["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Malware: Node.js payloads<br/>Description: Payloads heavily obfuscated and AES‑CBC encrypted before being written to disk."]
class step12 action
malware_obf["<b>Malware</b> – <b>Name</b>: Encrypted Node.js payloads<br/><b>Description</b>: AES‑CBC encrypted blobs stored on the victim file system."]
class malware_obf malware
step12 –>|produces| malware_obf
step12 –>|leads_to| step13
%% Step 13 – Deobfuscate/Decode Files or Information
step13["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Tool: PowerShell loader reset.ps1<br/>Description: Decrypts AES‑CBC encrypted blobs at runtime."]
class step13 action
tool_psloader["<b>Tool</b> – <b>Name</b>: reset.ps1<br/><b>Description</b>: PowerShell script that decrypts and loads malicious payloads in memory."]
class tool_psloader tool
step13 –>|uses| tool_psloader
step13 –>|leads_to| step14
%% Step 14 – Reflective Code Loading
step14["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Technique: PowerShell loader loads decrypted Node.js components reflectively in memory."]
class step14 action
step14 –>|leads_to| step15
%% Step 15 – Application Layer Protocol: Web Protocols
step15["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>C2: PersianC2<br/>Description: HTTP polling using JSON API endpoints to retrieve commands."]
class step15 action
c2_persian["<b>C2</b> – <b>Name</b>: PersianC2<br/><b>Description</b>: HTTP‑based command and control using JSON polling."]
class c2_persian c2
step15 –>|communicates_via| c2_persian
step15 –>|leads_to| step16
%% Step 16 – Non‑Application Layer Protocol
step16["<b>Action</b> – <b>T1095 Non‑Application Layer Protocol</b><br/>C2: KeyC2<br/>Description: Custom binary protocol over UDP port 1269 for beaconing and command execution."]
class step16 action
c2_key["<b>C2</b> – <b>Name</b>: KeyC2<br/><b>Description</b>: UDP‑based covert channel using proprietary binary format."]
class c2_key c2
step16 –>|communicates_via| c2_key
step16 –>|leads_to| step17
%% Step 17 – Web Service: Dead Drop Resolver
step17["<b>Action</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Technique: Query Ethereum smart contracts to resolve C2 server IP addresses dynamically."]
class step17 action
step17 –>|leads_to| step18
%% Step 18 – Web Service: Bidirectional Communication
step18["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>C2: ArenaC2 (FastAPI/uvicorn)<br/>Description: HTTP POST interface encrypting traffic with AES‑256‑CBC."]
class step18 action
c2_arena["<b>C2</b> – <b>Name</b>: ArenaC2<br/><b>Description</b>: FastAPI server providing encrypted bidirectional C2 channel."]
class c2_arena c2
step18 –>|uses| c2_arena
step18 –>|leads_to| step19
%% Step 19 – Web Service: One‑Way Communication
step19["<b>Action</b> – <b>T1102.003 Web Service: One‑Way Communication</b><br/>Component: Minimal Flask server (web.py) on port 10443 accepting file uploads for exfiltration."]
class step19 action
malware_flask["<b>Malware</b> – <b>Name</b>: web.py<br/><b>Description</b>: Simple Flask app acting as a dead‑drop for stolen data."]
class malware_flask malware
step19 –>|implements| malware_flask
step19 –>|leads_to| step20
%% Step 20 – Protocol Tunneling
step20["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Tool: Neo‑reGeorg acting as SOCKS proxy (resocks, revsocks) to tunnel into internal networks."]
class step20 action
step20 –>|leads_to| step21
%% Step 21 – Proxy: External Proxy
step21["<b>Action</b> – <b>T1090.002 Proxy: External Proxy</b><br/>Listeners: resocks and revsocks creating external SOCKS proxies for lateral movement."]
class step21 action
step21 –>|leads_to| step22
%% Step 22 – Encrypted Channel: Symmetric Cryptography
step22["<b>Action</b> – <b>T1573.001 Encrypted Channel: Symmetric Cryptography</b><br/>Technique: ArenaC2 encrypts all C2 traffic with AES‑256‑CBC using a hard‑coded key."]
class step22 action
step22 –>|leads_to| step23
%% Step 23 – Dynamic Resolution
step23["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Method: Smart‑contract calls (getString) on Ethereum return active C2 IP list (e.g., 185.236.25.119)."]
class step23 action
step23 –>|leads_to| step24
%% Step 24 – Exfiltration to Cloud Storage
step24["<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage</b><br/>Tool: rclone<br/>Destination: Wasabi S3, put.io<br/>Description: Upload stolen files to cloud storage accounts."]
class step24 action
tool_rclone["<b>Tool</b> – <b>Name</b>: rclone<br/><b>Description</b>: Command‑line program for syncing files to cloud storage services."]
class tool_rclone tool
step24 –>|uses| tool_rclone
step24 –>|leads_to| step25
%% Step 25 – Exfiltration Over C2 Channel
step25["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Capability: KeyC2 and PersianC2 support file download commands to retrieve data from victims."]
class step25 action
step25 –>|leads_to| step26
%% Step 26 – Exfiltration Over Alternative Protocol
step26["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b>
Flux d’Attaque