 All right. Thank you so much for the introduction. I hope everyone can hear me So let's talk about APT is today. We're gonna specifically talk about muddy water. That is an Iranian APT I'm just gonna take a moment to share my screen so that you guys can see my presentation And already All right, hopefully everyone can see my presentation now. Good afternoon everyone. My name is Ashir Malhotra Today, I'm going to be presenting about the muddy water APT My talk is titled muddy water from canaries to to turkeys Before we begin for those of you that don't know me. I'm Ashir. I'm a threat researcher at Cisco Talos I specialize in malware analysis threat intelligence and different kinds of malware detection techniques more recently my focus has been on Disclosing APT operations specifically in the Asians up in the Asian continent Right now. I'm located out of the United States. I'm presenting to you from Washington, DC Now this research was done in collaboration with Vitor Vitor is also a cybersecurity researcher at Cisco Talos He's actually the research lead for my team for Europe and Asia Vitor was supposed to originally present this research, but unfortunately he couldn't present today So which is why you all are stuck with me today. So yeah Vitor loves mobile malware and loves to reverse engineer different kinds of malware samples He's an avid APT hunter and Vitor is located out of Portugal right now All right, let's talk about the agenda. So today we're gonna talk about four key sections We're gonna introduce the muddy water APT group. We're gonna take a look at about Five campaigns from that have been conducted by muddy water in the past year or so Then we're gonna talk about a very novel technique that this APT has started using recently Namely infection tracking. They basically use a methodology or a specific technique to track successful infections across the set of victim and we're specifically going to talk about homemade tokens and canary tokens and then I'm gonna take a couple of slides and go through the conclusions and Hopefully by the end of the presentation, you will know as much about muddy water as I do. So fingers crossed All right, let's talk about muddy water. So what is muddy water? Muddy water is an Iranian APT group. It's also known as mercury or static kitten Very recently, I think at the beginning of this year It was attributed to Iran's history of intelligence and security the MOIS division by the United States cyber command Muddy water primarily tends to target entities You know, usually government entities in North America Europe and Asia and the focus of their operations is primarily espionage and intellectual property theft and the intention to establish and maintain long-term access into their targets networks We've seen some sporadic instances of muddy water carrying out ransomware attacks as well But that's a whole different topic of discussion and we're gonna be covering that today Now we believe that muddy water is a supergroup this is basically an umbrella Organization or a conglomerate groups that consists of smaller groups that focus on individual geographies all throughout the world That being said, let's take a look at all the different campaigns that have been conducted by muddy water over the past year or so So now the intention of this presentation initially was to talk about three key campaigns and show similarities between them The first campaign that we wanted to talk about was one that started in April and was carried out through August of 2021 This campaign specifically targeted entities in Armenia and Pakistan The second campaign that we saw muddy water conduct was against Turkish entities and we discovered this in November of 2021 and Then there was another a third campaign that was targeting a lot of countries in the Arabian Peninsula way more prolific and way more aggressive That we discovered in December of 2021 During the course of our research when while we were tracking all three of these Campaigns we discovered that there were multiple overlaps in the TTPs used across all of these campaigns Basically a technique would be introduced in one campaign It would be refined and made reliable and then it would be migrated to Another campaign that was being conducted in a completely distinct and different region of the world It's not just the reuse of techniques they observed in in across these three campaigns We also saw a lot of new techniques being introduced as well and I'm going to talk about them during the course of this presentation as well Now when we started looking at these campaigns and the more we delved into these campaigns and the more research we did and the most stuff we uncovered We realized that in order to present this at You know a really good conference like not sec We needed to go back and take a look at some of the other campaigns that muddy water had conducted in the recent years as well So I'm going to talk through a timeline of all the different campaigns and the different attack instances in this particular template We're going to list all of them and then we're going to list all the salient TTPs that we used in each of these campaigns So let's start with the first one The first campaign that I'd like to talk about was conducted by the APD group in March 2021 And this was targeting countries in the Middle East This specific campaign consisted of phishing emails with lures that were sent to targets Basically a PDF would arrive in your inbox that would say hey open up this PDF This is from a legitimate entity The PDF would contain language that said hey you need to download this specific zip file or this archive from this remote location and execute the file inside of it What basically happened was that the malicious archives consisted of remote controlled software utilities such as screen connect and remote utilities Once the victim executed these utilities on their end point the attackers were able to manually connect to the infected end point and then they would start pivoting and start an entirely new infection chain from there During the course of this campaign we also saw the attackers use various types of commodity tools such as Legolo which is a reverse tunneling software Which can be used to establish long term communication channels between an infected end point and the attackers The screenshot that I have on the screen today is a PDF that masquerades as a circular from the National Media Council of the United Arab Emirates The tent here basically states that we have a new version of the media library, it's available on this link, please go ahead and click it Don't ask any questions, open up the zip archive and execute the file inside of it And that's how the victims get infected with remote controlled software that the attackers can then connect to Now the next attack instance of an operation conducted by Muddy Water was against Pakistan in April of 2021 This attack instance consisted of maldox being delivered to the victims, usually masquerading as a government document of some sort The screenshot that I have on the screen is from a blurred out court case from a Pakistani court This maldox consisted of malicious VBA macros that would reach out to a remote URL and then download the connect-wise remote access client that would be done on the system and then the attackers could connect to it What's interesting about this campaign and the reason why we wanted to talk about this is because this attack instance was the first instance of tracking tokens being used by the adversary So for those of us that don't know what tracking tokens are, they're basically URLs that are embedded inside an artifact, an HTML file or an executable or a maldox And when that specific artifact is opened up on the endpoint, the artifact will make an HTTP call to that specific URL in order to register a successful infection for the endpoint with the attackers The reason why we call this an instance of homemade tracking tokens is because the attackers use their own servers, assign their own IPs and managed and operated these servers And which is why we're calling them homemade tokens. This is basically a homegrown implementation of tracking infection tokens The next campaign that we observed being carried out by Muddy Water was against Armenia in June 2021 Basically what happened was, in this case, the attackers would distribute malicious executables that were built based on a builder that they have We believe this is a customized builder and we've seen executables being generated by this builder and being used in other campaigns as well At the very core of it, the executable would drop a decoy document, it would also drop and execute a PowerShell-based downloader We also saw the attackers use specific file extensions like dot-con ventures for the PowerShell scripts that the executables would deploy on the infected endpoint And we also saw the use of LOL bins to instrument components of the infection chain Now the screenshot that I have on the screen by the way is supposed to be a confidential document from Ericsson, it's a technical guide of some kind And it pertains to Viva MTS, which is a telecom services provider in Armenia So the attackers know what they're doing, this is basically used to target telecom communication entities in Armenia If you take a look at the PowerShell-based downloader, this was a very short and sweet and simple downloader or stager, if I may say Basically what happens within it is, I've got the code screen-shotted on the slide deck here But the downloader will basically send out preliminary system information to the command and control server And then it will wait for the command and control server to issue PowerShell script commands to the infected endpoint to the script And any of the commands that are received by the script will then be executed on the infected endpoint So very short, very sweet, very simple, very tight implementation, nothing fancy here It gets them a foothold inside the network and allows them to start executing more commands, you know, manually issuing more commands and start executing more commands on the infected system Now an extension of this attack on Armenian entities was also seen again targeting entities in Pakistan in August 2021 Basically the infection chain is the same, the payloads are the same, you know, the same kind of TTPs have been used against this attack against entities in Pakistan We see the use of the same type of executables that use the same exact same type of PowerShell downloader, they use the same file extensions, they use the same type of lawl bins However, in this specific attack instance, we saw the attackers use homemade tokens again And what's interesting here is that the homemade tokens used in this case had the exact same IP address as those seen earlier in a very different campaign targeting Pakistan This is the one from April 2021 So at this point in time, I'm basically trying to color code all of the salient TTPs in the slide to show you the similarities and the commonalities between the various campaigns So you see some in orange, some common TTPs in blue across different campaigns, the some in purple So this is basically meant for you to keep track of all the commonalities and all the overlaps in TTPs Now let's look at one of the very interesting muddy water campaigns from November 2021 This campaign specifically targeted entities in Turkey, we discovered this in November but this was operational, this campaign had been operational since at least September of 2021 In this campaign, the attackers took a two-fold approach On one hand they used executables that acted as the droppers and downloaders and the initial infection vectors for the infection chains But on the other hand, the attackers also used different types of malicious documents as well to instrument the attacks Now in the case of the executables, we saw the executables deploy a second variant of a PowerShell-based downloader or a stager And we also saw the use of different kinds of loaders At a very high level, this is what the infection chain basically looks like The executable will drop and display a decoy document that is relevant and pertinent to the victims that they're trying to infect It will execute a PowerShell-based instrument or script which is responsible for executing the PowerShell-based downloader The downloader will then reach out to the command and control server which will issue new commands to the downloader which will then execute those commands on the infected endpoint Now as in the case of the previous downloader, we see this new variant also is very short and very simple Basically all there is, the core of the functionality in this downloader is to take commands from the command and control server and just execute them non-stop on the infected endpoint That's it. So basically they're using very small and very compact implants to establish an initial foothold into the networks Now, I spoke about the two-fold approach, right? So the second approach that the attackers took during the course of this campaign was to use malicious PDFs That would be opened up by the victim and the PDF would have language that said, we cannot display the content of the document to you However, the correct version of the document is available at this location Please click on this location and open up this document And that's exactly what happens during the infection chain. The PDF reaches out to a remote location that downloads a Maldoc The Maldoc consists of malicious VBA macros that will in turn drop a VBS-based instrumenter and a PowerShell-based downloader And then the infection chain is pretty much the same. The instrumenter will execute the PowerShell-based downloader which will download commands from the remote locations and execute them on the infected endpoint Now what's interesting here is the Maldocs disguised themselves as reports or forms belonging to different ministries in the Turkish government And I've got a few examples here. You know, we saw reports that, you know, Maldocs that masqueraded as reports from the health ministry, the interior ministry from Turkey So it's kind of interesting that, you know, this gives us an indication that they were actually trying to infect users who have relations with these specific ministries Now another interesting point to note here is that the attackers started using canary tokens instead of homegrown tokens in their Maldocs So for those of us that don't know, canarytokens, canarytokens.com is basically a free service that allows you to register a URL that you can then put in your artifacts And when those artifacts are run, you know, the artifact, the executable or the Maldoc will reach out to that specific URL on canarytokens.com and register a successful infection So now we have, I tried to come up with a good meme here but I came up with a really bad meme What happened in November 2021 was that the attackers now switched from the use of homegrown infrastructure for tracking infection tokens You remember I spoke about homemade tokens, they moved from homemade tokens to canary tokens and we believe that this is an attempt at legitimizing their infection tracking body water You know, a lot of them, most of them use PowerShell based downloaders in one form or the other to establish an initial foothold on the infected endpoints However, there was a new campaign in December 2021 and that, you know, made its way well into 2022 that targeted a multitude of countries in the Arabian Peninsula What basically happened during the course of this campaign was this is the infection chain, you know, a phishing email would arrive in the victims inbox with the Maldoc The malicious document would be opened, it consisted of a malicious VBA macro that would instrument the next stages of the infection chain However, what's different here and what's unique here is that the attackers now moved from using PowerShell based scripts to using WSF based scripts WSF is the window scripting file, it has the ability to have multiple scripts, if I may say, or multiple scriptlets inside of the file from different languages And that's what we saw during the course of this campaign, we saw the WSF based rat, which we're calling Slourat, being used to deploy additional malicious payloads on the infected endpoint And we saw the reuse of the Legolo reverse tunneling utility that we saw earlier in March of 2021 being used again in this specific campaign as well So let me give you a brief overview of what Slourat is, we named the term Slourat, but it is also known as Canopy This rat was also disclosed by the Cyber Security and Infrastructure Security Agency of the United States, the CSI Agency This is a WSF based rat, so it contains different snippets of code consisting of VB script and JavaScript and the execution jumps from one snippet to the other in order to carry out the malicious functionality that resides inside of this rat If you take a look at this specific rat, if you just open it up in a text editor, you will see that there's a lot of obfuscation here But if you peel through the obfuscation layers, at the end of the day it's a very simple rat, it has the ability to execute arbitrary commands on the infected endpoints The server will issue a command, the rat will execute that command on the infected endpoint, it then stores the output of the command in the text file That text file is subsequently read by the rat and then exfiltrated out to the command and control server The rat also had the capability to deploy additional malware payloads and we saw the use of, as I said, the Legolo reverse tunneling utility being used here as well by infected endpoints that were running Slourat At this point in time, we've been through all the different moneywater campaigns But what I'd like to highlight here is that if you look very closely at these slides, you will see that there are some very common DDPs The use of executables across different campaigns from Armenia to Pakistan to Turkey The use of remote control utilities from March 2021 that were reused again in December 2021 and well into January at the beginning of this year Alright, so let's talk about Canary tokens So, the usage of Canary tokens for tracking infection chains is very novel to this specific APT We haven't seen this before. The first time we discovered this was when we were taking a look at the campaigns sometime in April 2021 And the more we looked at these campaigns, the more we realized that the attackers were slowly refining this technique So in April of last year in the campaign targeting Pakistani entities, we saw that the attackers started using homemade infection tokens This was the experimental phase for this specific technique The attackers were testing the waters, they were trying to make sure they were trying to understand the utility of this technique They used this technique up until August of 2021 Perhaps around this point in time, the attackers realized that using homegrown infrastructure and homemade tokens was a little bit too noisy A suspicious document reaching out to a random IP on your network is bound to catch somebody's attention at some point in time Which is why, beginning with the campaign targeting Turkey in November 2021, we saw the attackers try to legitimize their infection token tracking systems They started using a more professional implementation and they started adopting canarytokens.com in order to keep track of their infections Now, canarytokens is a very interesting concept and during the course of our research, we tried to come up with a hypothesis of why the attackers were using homemade infection tracking tokens and canarytokens specifically So canarytokens can be used for a number of purposes and we have four hypotheses. The most obvious one is you want to keep track of successful infections On the other hand, we believe that canarytokens can also be used for anti-analysis So basically you can have an instance where you send a request to the token server first and only if the token request is received will the server issue a payload to the specific infection So this is a way to thwart isolated analysis of specific components of an infection chain I believe that canarytokens can also be used as a form of timing checks for anti-analysis You check the duration between a token request and the request for the payload and if it's too small then the infection is probably running on a sandbox or some kind of an automated system Canarytokens can also be used to find protections If a token server keeps receiving requests from an infected endpoint but there are no requests for the payload from the infected endpoint Then that means that the victim has some sort of blocking and protection mechanism in place And the adversaries can then modify their strategy and change their techniques and tools in order to achieve a greater degree of success against that specific victim Alright so I know this is a lot and I know I rushed through a lot of the content because there was a lot of content But I promise that I'm just going to present two more slides to you and I'm just going to talk about the conclusions here So in case there weren't enough timeline slides for you I have yet another one This time we've tried to do something different On the left hand side we have a timeline of all the campaigns that we've discussed today And we've also presented and color coded all the salient TTPs along with the different campaigns in the bullet points But on the right hand side this is our attempt at showing the different commonalities between all the different campaigns that water has conducted over the course of the last year You know you see the use of honey tokens across different campaigns We see that the honey tokens would then evolve into a completely new and distinct campaign that was targeting Turkey We see that the similar payload, similar power shell based downloaders and file names and extensions and load bins were used across multiple distinct campaigns And this indicates that the adversary is reusing their TTPs and they're borrowing from one another based on the reliability of a specific technique that they've used in the past Alright so in conclusion we believe that muddy water is a super group We believe that it is an umbrella organization that consists of separate teams that are targeting different geographies All of these teams borrow TTPs from one another and we've seen that we've seen evidence of the reuse of their TTPs from one campaign to the other in distinct and different geographies However that does not mean that the individual groups are not innovating on their own as well We see that the groups are innovating on their own, they develop their own TTPs, they develop their own suit of tools, they develop their own tactics They test them out, they refine them, they make them more reliable And once the utility of these techniques has been proven, they will put them in a common pool of tactics and tools And these tools can then be utilized by another sub team in a completely different campaign targeting a completely different geography Now although there's different tools and techniques being used and there's some amount of overlap between the TTPs as well We strongly believe that all of these teams under the muddy water umbrella serve a common set of goals They serve the interests of a common nation state which is Iran in this case And their primary focus again is to conduct espionage, to establish and maintain long term access into their victims' networks And also do some amount of intellectual property theft as well And that brings us to the end of the presentation