{ "name": "Unmasking MuddyWater's Multiple RMM Software Attacks", "slug": "unmasking-muddywaters-multiple-rmm-software-attacks", "description": "MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera Agent, ScreenConnect, Remote Utilities, N-Able, Syncro, and SimpleHelp. These legitimate tools are exploited to gain remote access and control over victim systems. The group's attacks are characterized by Arabic-language lures, use of file-sharing services, and a consistent deployment process. MuddyWater's activities primarily target government, military, and energy sectors, demonstrating sophisticated evasion techniques and a large arsenal of attack tools.", "published": "2024-09-24T11:20:49+00:00", "created_at": "2024-09-24T11:20:49+00:00", "modified_at": "2024-09-24T12:10:12+00:00", "created_at_opencti": "2024-09-24T11:20:49+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-09-24", "darkbeatc2", "muddyc2go", "phonyc2", "powermud" ], "related_entities": { "observables": [ { "id": "", "name": "146.70.149.61" }, { "id": "", "name": "193.109.120.59" }, { "id": "", "name": "51.255.19.178" }, { "id": "", "name": "51.254.25.36" }, { "id": "", "name": "178.32.30.3" }, { "id": "", "name": "f664670044dbd967ff9a5d8d8f345be294053e0bae80886cc275f105d8e7a376" }, { "id": "", "name": "f865531608a4150ea5d77ef3dd148209881fc8d831b2cfb8ca95ceb5868e1393" }, { "id": "", "name": "f511bdd471096fc81dc8dad6806624a73837710f99b76b69c6501cb90e37c311" }, { "id": "", "name": "dedc593acc72c352feef4cc2b051001bfe22a79a3a7852f0daf95e2d10e58b84" }, { "id": "", "name": "d65d80ab0ccdc7ff0a72e71104de2b4c289c02348816dce9996ba3e2a4c1dd62" }, { "id": "", "name": "d550f0f9c4554e63b6e6d0a95a20a16abe44fa6f0de62b6615b5fdcdb82fe8e1" }, { "id": "", "name": "b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf" }, { "id": "", "name": "9b345d2d9f52cda989a0780acadf45350b423957fb7b7668b9193afca3e0cd27" }, { "id": "", "name": "8bee2012e1f79d882ae635a82b65f88eaf053498a6b268c594b0d7d601b1212f" }, { "id": "", "name": "887c09e24923258e2e2c28f369fba3e44e52ce8a603fa3aee8c3fb0f1ca660e1" }, { "id": "", "name": "7e7292b5029882602fe31f15e25b5c59e01277abaab86b29843ded4aa0dcbdd1" }, { "id": "", "name": "77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1" }, { "id": "", "name": "70cab18770795ea23e15851fa49be03314dc081fc44cdf76e8f0c9b889515c1b" }, { "id": "", "name": "5e2642f33115c3505bb1d83b137e7f2b18e141930975636e6230cdd4292990dd" }, { "id": "", "name": "5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b" }, { "id": "", "name": "4f839eac8204930ecc21a35476069daabbd40c14ef5af4db0e66de9b6a2e62fb" }, { "id": "", "name": "3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b" }, { "id": "", "name": "31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535" }, { "id": "", "name": "39da7cc7c627ea4c46f75bcec79e5669236e6b43657dcad099e1b9214527670e" }, { "id": "", "name": "f17f6866f4748e6e762752062acdf983d3b083371db83503686b91512b9bcae3" }, { "id": "", "name": "ec553e14b84ccca9b84e96a9ed19188a1ba5f4bf1ca278ab88f928f0b00b9bd0" }, { "id": "", "name": "cc8be1d525853403f6cfabcf0fc3bd0ca398ece559388102a7fc55e9f3aa9b33" }, { "id": "", "name": "bab601635aafeae5fbfe1c1f7204de17b189b345efd91c46001f6d83efbb3c5a" }, { "id": "", "name": "7e6a5e32596b99f45ea9099a14507a82c10a460c56585499d7cd640f2625567f" }, { "id": "", "name": "85103955e35a1355ce68a92eaedd8f9376de1927d95bf12657b348dea6a8077b" }, { "id": "", "name": "4b41b605ffc0e31bd9d460d5a296ac6e8cfd56a215dc131e90ec2654f0ffe31b" }, { "id": "", "name": "165a80f6856487b3b4f41225ac60eed99c3d603f5a35febab8235757a273d1fd" }, { "id": "", "name": "2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b" }, { "id": "", "name": "09e09503962a2a8022859e72b86ad8c69dcbf79839b71897c0bf8a4c4b9f4dd6" }, { "id": "", "name": "ffbe988fd797cbb9a1eedb705cf00ebc8277cdbd9a21b6efb40a8bc22c7a43f0" }, { "id": "", "name": "ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909" }, { "id": "", "name": "fb02e97d52a00fca1580ca71ed152dd28dd5ae28ab0a9c8e7b32cebd7f1998a1" }, { "id": "", "name": "dd2675e2f6835f8a8a0e65e9dbc763ca9229b55af7d212da38b949051ae296a5" }, { "id": "", "name": "c6128f222f844e699760e32695d405bd5931635ec38ae50eddc17a0976ccefb4" }, { "id": "", "name": "2ae6c5c2b71361f71ded4ad90bbf6ef0b0f4778caf54078c928e2017302fbe69" }, { "id": "", "name": "638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2" }, { "id": "", "name": "14c270cf53a50867e42120250abca863675d37abf39d60689e58288a9e870144" }, { "id": "", "name": "a6b1de8184a7e560cea461b0e05d4136d0068b35c12c0889c4036d177e331a83" }, { "id": "", "name": "9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb" }, { "id": "", "name": "9a33655007a4fddf9c434d84fafe205479aaa3f5eaf7425e14beb83e46fa7041" }, { "id": "", "name": "65667d0b1710636d4b2030a25f64d0f960d75ebfc3f5ad92f03f78293b47ed75" }, { "id": "", "name": "28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e" }, { "id": "", "name": "0187db1c61f146d49f74fb7db1dccec1e42ad7d431bffbfcaeec910af1a4bc68" }, { "id": "", "name": "3f9db7bf1c9d897d46f669854e7ecc945778024f04cac9cd1585140d0d73a34f" } ], "malware": [ { "id": "legacy:malware:21442353b78075ff", "name": "Powermud", "slug": "powermud" }, { "id": "legacy:malware:5b5aed9c6c9f9787", "name": "PhonyC2", "slug": "phonyc2" }, { "id": "952f8044-de60-4e4c-be74-d91b9cf784b0", "name": "DarkBeatC2", "slug": "darkbeatc2" }, { "id": "legacy:malware:ebaf9724afadb49c", "name": "MuddyC2Go", "slug": "muddyc2go" } ], "intrusion_sets": [ { "id": "98b7af71-8465-4bc4-9526-3bd1a8ac5f59", "name": "MuddyWater", "slug": "muddywater" } ], "attack_patterns": [ { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "33962583-7396-47ef-913d-1db78d6685c9", "name": "T1569" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Energy" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247500427&idx=1&sn=29a99b3ae418762fdd184f8b82c20d79&chksm=f9c1f182ceb678943a0d6cca3a94f0e7860aca6046e8b7a385ad9c266c7630de225b4bd7dd10&scene=178&cur_album_id=1955835290309230595", "https://otx.alienvault.com/pulse/66f2bcb104d56da56023cb58" ] }