MuddyWater’s new toolkit hits Israel and Egypt

Overview
ESET Research uncovered a refined MuddyWater campaign primarily against Israeli organizations, with one confirmed target in Egypt. The Iran‑aligned APT (also known as Mango Sandstorm/TA450) leaned on custom malware, predictable delivery methods, and a polished operational playbook to pursue government and critical infrastructure targets.

Why it matters

• Marked technical uplift: adoption of Microsoft’s CNG cryptographic API, reflective in‑memory loading, and game-inspired evasion
• New custom tools: Fooder loader and MuddyViper backdoor, plus updated credential/browsers stealers
• Continued reliability of a predictable playbook (spearphishing + RMM tools), which defenders can monitor and block

Timeline and victimology

• Activity window: September 30, 2024 to March 18, 2025
• Geography: Israel (majority of victims), Egypt (single confirmed victim)
• Verticals touched: engineering, local government, manufacturing, technology, transportation, utilities, and universities
• Notable overlap: a utilities victim was also compromised by Lyceum (OilRig subgroup) in February 2025

Tradecraft shifts at a glance

• CNG API used for encryption/decryption across multiple tools, unusual among Iran‑aligned groups
• Fooder loader reflectively loads payloads and delays execution via Snake‑like loops and Sleep calls to hinder automated analysis
• Operators avoided noisy, interactive post‑exploitation, favoring scripted, repeatable workflows

Initial access and delivery

• Spearphishing emails with links to remote monitoring and management (RMM) installers hosted on free file‑sharing platforms (e.g., OneHub, Egnyte, Mega)
• RMM tools abused: Atera, Level, PDQ, SimpleHelp
• Additional impersonation via VAX‑One (posing as Veeam, AnyDesk, Xerox, or OneDrive updater) in some activity

New toolset and capabilities

1. Fooder loader

• Role: 64‑bit C/C++ loader that decrypts and reflectively loads embedded payloads
• Camouflage: several builds masquerade as the classic Snake game; internal logic includes a Snake‑style delay loop plus frequent Sleep calls
• Payloads seen: MuddyViper backdoor, go‑socks5 reverse tunnels, and HackBrowserData
• Persistence: handled by payloads (e.g., MuddyViper), not by Fooder itself

2. MuddyViper backdoor

• Language: C/C++
• Core features: system info collection; reverse shells (cmd and PowerShell); file upload/download/execute; browser data theft via embedded HackBrowserData; verbose telemetry to C2
• Credential theft: fake Windows Security prompt to harvest and exfiltrate credentials
• Persistence: Startup folder manipulation or a scheduled task named ManageOnDriveUpdater
• Communication: HTTPS (port 443) with AES‑CBC encryption via CNG; unconventional use of HTTP GET with data in the request body; observed C2s include processplanet[.]org and 35.175.224[.]64

3. CE‑Notes (browser-data stealer)

• Focus: Chromium browsers (Chrome, Edge, Brave); attempts to bypass app‑bound encryption introduced in Chrome 127
• Storage: encrypts and stages stolen data to ce‑notes.txt for later retrieval (typically via RMM or another component)

4. LP‑Notes (credential stealer)

• Tactic: loops a Windows‑style credential prompt; validates credentials via Windows APIs; encrypts and stages them to lp‑notes.txt for later pickup

5. Blub (browser-data stealer)

• Coverage: Chrome, Edge, Opera, Firefox; uses a statically linked SQLite library
• Behavior: can close Chrome processes to access data; logs and stores data locally without built‑in exfiltration; includes simple obfuscation and security‑product checks

6. go‑socks5 reverse tunnels

• Purpose: Go‑based reverse proxy family (often internally identified as “ESETGO”) to relay traffic through victim hosts and hide true C2 locations
• Libraries: go‑socks5, yamux, and others

Operational overlap with Lyceum (OilRig subgroup)

• Period: January–February 2025
• Flow: MuddyWater phishing led to Syncro RMM installation, followed by PDQ and a custom Mimikatz loader. Harvested credentials were likely leveraged by Lyceum to assume control inside an Israeli manufacturing organization.
• Assessment: MuddyWater likely acted as an initial access broker for a partner Iran‑aligned group.

Detectable patterns and TTPs to watch

• Delivery: spearphishing links to RMM installers hosted on free file‑sharing services
• Communications: HTTPS over 443 with AES‑CBC; HTTP GET requests carrying data in the body; default User‑Agent reminiscent of WinHTTP sample code
• Persistence: Startup folder changes and a scheduled task named ManageOnDriveUpdater
• Artifacts: staged files named ce‑notes.txt and lp‑notes.txt; verbose backdoor status messages; reverse tunnels labeled like ESETGO in build strings

Defender takeaways

• Harden against RMM abuse: restrict or baseline RMM tools and alert on unsanctioned installs
• Monitor proxy/C2 anomalies: HTTP GET with payload body, unusual WinHTTP user agents, and regular short‑interval beacons
• Hunt for persistence: look for ManageOnDriveUpdater and suspicious Startup folder changes
• Watch for staged loot: ce‑notes.txt, lp‑notes.txt, and unexplained browser data archives
• Inspect for reverse tunnels: unfamiliar Go binaries communicating over TLS with authentication keys

MITRE ATT&CK highlights

• Initial Access: T1566.002 (Spearphishing Link)
• Execution: T1059.001/003 (PowerShell, CMD), T1106 (Native API)
• Persistence: T1547.001 (Startup), T1053 (Scheduled Task)
• Defense Evasion: T1620 (Reflective Loading), T1497.003 (Time‑based evasion), T1036 (Masquerading)
• Credential Access: T1056.002 (GUI credential prompts), T1555.003 (Browser passwords)
• Command and Control: T1071.001 (Web protocols), T1573.001 (Encrypted channel), T1090 (Proxy)

Bottom line
MuddyWater’s latest wave blends new custom components (Fooder, MuddyViper) with familiar, reliable delivery and control patterns. The result is quieter, more persistent operations aimed squarely at government and critical infrastructure, with signs of coordination across Iran‑aligned groups.

Source: WeLiveSecurity