From b36300e151dc763b5546556cf1d16cf4c768a6be Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Fri, 3 Jul 2020 16:50:27 +0200 Subject: [PATCH] Create Analysis.md --- Iran/APT/Muddywater/2020-07-02/Analysis.md | 198 +++++++++++++++++++++ 1 file changed, 198 insertions(+) create mode 100644 Iran/APT/Muddywater/2020-07-02/Analysis.md diff --git a/Iran/APT/Muddywater/2020-07-02/Analysis.md b/Iran/APT/Muddywater/2020-07-02/Analysis.md new file mode 100644 index 0000000..977accd --- /dev/null +++ b/Iran/APT/Muddywater/2020-07-02/Analysis.md @@ -0,0 +1,198 @@ +## Peace comeback, maldocs comeback +## Table of Contents +* [Malware analysis](#Malware-analysis) +* [Cyber kill chain](#Cyber-kill-chain) +* [Indicators Of Compromise (IOC)](#IOC) +* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) +* [Yara rules](#Yara) +* [Links](#Links) + + [Original Tweet](#tweet) + + [Link Anyrun](#Links-Anyrun) + + [References](#References) + +

Malware analysis

+
The initial vector of the infection is an NSIS executable, this content the pdf (lure) and the dll (MoriAgent).This initialize the OLE object used for the extraction and execution of the dropped object, this defines the current directory on the Temp directory.
+ +
+ +
Once initialized, the OLE initializes the process of extracting and executing the two objects in the archive.This uses the switch structure of the NSIS executable for execute the commands, once the files extracted on the Temp directory.
+ +
+ +
+ +
+ +
By classifying the samples by their creation dates, we can note the following remarks: +
+ +
The first samples found in January 2020, this creates an old file extension for the mutex, once this allocates, this performs the reconnaissance actions (Disks, OS architecture, OS version...).
+ +
+ +
+ +
+ +
Once this done, this request the URL of the C2 to contact for getting the instructions to execute on the computer.
+ +
+ +
This variant (May 2020) use another way for getting the URL to contact the C2. Instead of using an algorithm to decrypt the URL, this parse from a string, the token, URL of the C2 and the reference for the operations. Unlike the previous version, the implant checks the response of the C2 getting the code to execute.
+ +
+ +
Like noted by d2hvYW1p, this loads a dll by reflective method. The dll is PowershellRunner and allows to execute Powershell script without need to call Powershell. In the past have been used by Turla group (2019) and pushed on Empire project.
+
+ +
+ +
+ +
As an argument, this pushes a Powershell script for performing the authentication and get the code. The script has the same reference with Powerstats used by Muddywater (here with the POST request in 2018 but match with GET request used for getting the content with the Dropbox API in 2019).
+ +
+ +
+ +
+ +
This redirects and executes in memory the content of the code show on the console. Unfortunately, none of the C2 has given the content of the code to be executed. The implant doesn't check the content and the return of the C2, if the code isn't available the application will crash.
+ +
The list of the tokens and URL used can found here
+ +
Some agents have useless strings for generating high entropy and make harder the analysis. On the both case, this opens the dropped pdf file.
+ +
+ +

Victimology ?

+

Republic of Turkey

+
The Republic of Turkey has been targeted by several lures in connection with COVID-19 news on people tracing via mobile applications with an article and a fake report from the Ministry of Foreign Affairs. Turkey and Iran have long been regional rivals, but relations between two countries have deteriorated in recent years. Iran, Turkey and Russia began the Astana process in 2017 to support efforts to resolve the conflict in Syria, despite the fact that Iran and Russia support the government of Bashar Assad while Turkey supports the Syrian rebels. The current situation with the Turkish offensive and the events with Russia have considerably worsened the situation with the both countries.
+ +
+ +
+ +
+ +
Link to the original article : here
+

Kingdom of Saudi Arabia

+
This document focus on Second conference of Institutes of Public Administration and administrative development in the states members of the Gulf Cooperation Council was held in Riyadh (2012). The Qatari Ministry of Administrative Development conveyed invitations to the Public Administration and administrative development Institutes in the GCC member states to take part in the said conference and submit their working papers. Other invitations were also addressed to the governmental organs to attend. This possible, that the document used that it and is reused for this campaign.
+ +
+ +
+ +
+ +

UNRWA

+
Several reasons can be attributed to the fact that the organization is targeted, the first is the state of the finances of the organization which has been in deficits since 2018, the American aid towards the UNRWA was cut by Trump recently despite the fact that the united states had however given a help to COVID to this same organization. The administration of the United States having decided to punish the Palestinians following the declaration by Palestinian President Mahmoud Abbas that the US will no longer be a mediator in the peace process due to its in 2017 that Jerusalem as been recognition the capital of Israel.
+
+
The other reason would also be the recent officialization of a donation made by the Qatar to the organization and that knowing the current tensions between the two countries, the choice to target this organization would impose itself and more of the problems between the religious currents of Islam in these countries.
+ +
+
+

USA

+
The Trump Administration has imposed sanctions against Iran that target the Middle East’s maritime network on allegations of support for Tehran’s proliferation of weapons of mass destruction. It's the response to the various events between the USA, Saudi Arabia and Iran on the skirmishes with the US maritime units, the detention of the cargo ships and the attack on the attack on the refineries of Saudi Arabia.
+
+
+
Link to the original article : here
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name of lureTopicVictim ?
Jawaejifahi.pdfUnited Nations Relief and Works Agency for Palestine Refugees in the Near EastUNRWA Palestine
Jejytylavi.pdfSecond conference of Institutes of Public Administration and administrative development in the states members of the Gulf Cooperation Council (reuse an 2012 pdf ?)Kingdom of Saudi Arabia
Jyhynyjegu.pdfMINISTRY OF FOREIGN INFORMATION PROCESSING GENERAL MANAGER ASSISTANT 07.04.2020Republic of Turkey - Ministry of Foreign Affairs
Kopexaekaeru.pdfUnknownUnknown
Kytuqasylu.pdfCorona Virus and Cyber DefenseRepublic of Turkey
Lodolutaelae.pdfU.S. sanctions imposed against Iranian shipping go into effectUSA
+
+ +
Looking at the metadata, we can notice the use of several different operating systems, which could presage that the group would have a dedicated cell for finding events and opportunities for their operations. Another example may be noticed is the fact that the decoy documents are dispersed in time and not grouped for a specific date.
+
A list of metadata can be available here.
+ + +

Cyber kill chain

+
This process graph represent the cyber kill chain used by the attacker.
+ +
+ +

Indicators Of Compromise (IOC)

+
The IOC can be exported in JSON and CSV
+ +

References MITRE ATT&CK Matrix

+ +
+ +|Enterprise tactics|Technics used|Ref URL| +| :---------------: |:-------------| :------------- | +|Execution|Scheduled Task
Execution through API|https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1106| +|Persistence|Scheduled Task
Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1060| +|Privilege Escalation|Scheduled Task|https://attack.mitre.org/techniques/T1053| +|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012| + +
+ +
This can be exported as JSON format Export in JSON
+

Yara rules

+
The Yara rules are available here +

Links

+
Original tweet:
+ + +
Links Anyrun:
+ + +
References:
+ +