Background
In early May of this year, hackers claimed in the Telegram channel (Channel: GreenLeakers) that they possess attack evidence and information regarding the MuddyWater APT group for sale.
MuddyWater is widely regarded as a long-lived APT group in the Middle East. From February to April 2019, it launched a series of spear-phishing attacks against governments, educational institutions, financial, telecommunications and defense companies in Turkey, Iran, Afghanistan, Iraq, Tajikistan and Azerbaijan.
Image of the web control server:
As well as its own infiltration tool, which is named as muddyc3 from the banner with version number 1.0.0.
Yesterday (June 24) another telegram channel leaked the source code of muddyc3 and conducted related auctions.
Later on, security researchers also posted related malicious samples and decompiled source code with the same version on Github https://github.com/0xffff0800/muddyc3.
Analysis
After acquiring related information, we found two samples named as muddyc3.exe.
Decompile
We found that one of the samples, with version v1.0.1, is generated by PyInstaller in x64 environment.
We extracted the pyc and fixed the magic information in the header to perform decompilation by Easy Python Decompiler and uncompyle6. Related build environment is Python 2.7 and we get the following decompiled files after removing related libraries:
Code Analysis
Versions 1.0.1 and 1.0.0 are only slightly different on the code level. The following picture shows the screenshot of the portal interface:
First need to specify C&C server IP and port, and related proxy IP when needed.
It supports four commands: list, show, use and payload. However, the show command does not have related processing logic in the code.
It also lists some examples of the initial attack payload implementations. The initial script payload code can be embedded in a document as macro. When the target triggers the execution, it will access the C2 with the specified path.
The main body of the tool is a server based script web.py, which is used to process request from client and provide response. URL paths for v1.0.0 and v1.0.1 are somewhat different.
It supports delivering the next stage payload such as sct, hta, and powershell, uploading, downloading, information collection, as well as supported modules.
Since the packaged program does not contain the default Powershell payload code, we do not know what will be delivered in the next.
Here we try to access the root path:
As well as the /hta path:
It performs simple character substitution and base64 encoding:
Conclusion
Considering the completeness of the decompiled control program, it should be an earlier version used by MuddyWater which could serve as a prototype for a post-infiltration framework.
The RedDrip team of the QiAnXin Threat Intelligence Center will continue paying attention to the progress of relevant events.
IOC
daa7d4c40ffaa6cf4e4708747d3a9b37
146cc97df36cb4cea39074652d069519
Reference
https://github.com/kennethreitz-archive/pyinstaller/blob/master/ArchiveViewer.py
https://github.com/countercept/python-exe-unpacker
https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/