A MuddyWater Cyber Spy

This blog post is going to be about the adventure I had doing some research on MuddyWater APT. It starts off when on Telegram a bunch of new leaks were coming out involving APT34 OilRig and MuddyWater; Through the Lab Dookhtegan and GreenLeakers chat groups. The Tools and the data interested me into looking into who may be involved. I started doing some research around to who might be involved in this group when I came across a MuddyWater Macro Document. While doing some analysis on the document I came across something interesting..


We see here that the Author of this document is a Windows User "Gladiator_CRK" "Nima" So I went ahead and started googling around "Gladiator_CRK" and came up with some interesting things. This Youtube video here from 2018 https://www.youtube.com/watch?v=wkWiFzipbpw 

This shows a PoC bypassing Kaspersky Anti-Virus with ascii of MUDDYWATER. Which is pretty interesting since the Youtube account is also named muddy water and when we scroll down we see a comment with someone named "Nima Nikjoo".

Also when I was looking through the recent APT34 leaks through telegram I came across something interesting in the MuddyC2 Panel; In the bottom left corner if we zoom in just enough.. We can see "By Gladiator"

Now this get's interesting so I go ahead and take that name and throw it in Google which gives us some nice output. 
I go ahead and view the first link which is a Twitter account made by Nima, Which ended up when I logged in was following me on Twitter lol...

We engaged in a talk about some things, Nima then gave me his Telegram to talk further. I found something interesting after our talk was done and once I added him he had a Russian/Serbian username which I thought was weird and decided to translate it.

Well.. Now I'm really starting to thing we have a good guess that Gladiator_CRK is Nima Nikjoo. So let's take a look at some more information I was able to gather, We have some python code that generates a macro embedded in PowerShell from MuddyWater.

There are two hashes labled as "HashKey_1"and "HashKey_2" If we decrypt these hashes this is what we get.
dd239423ce826bfb1a26478ad205cfe9  gladiator_crd
e495a76dc36655e87d0e855af3966f40  nima.n

Interesting the output for both of those hashes are the same names we have come across so far. Let's take a look at another example.

Here we have the PoC code(Not Public) I was able to obtain through other means and this shows "#GMER EDITION from N.N.T" which I thought was interesting for initials, So I wanted to find out what this means.

I found out that Nima has his own website @ https://www.vsec.ir and of course we go and do some information gathering on this and we come up with domain:  vsec.ir
ascii:  vsec.ir
remarks:  (Domain Holder) Nima NikjooyeTabrizi
remarks:  (Domain Holder Address) No.988, rasani Sq East baijan, IR (edited)

Nima Nikjoo Tabrizi => N.N.T

While looking though more information online I came across a blog post about Iranians Behind StoneDrill and NewsBeef Malware @ https://irancybernews.org/news/318/ if we scroll down through the article we find something else, We see that Nima looks like he has some history as well before MuddyWater.

I also found out today another blog that looks like it's been Google cached but shows a good insight into some more information with Nima included. 

"Muddy waters: how MuddyWater hackers attacked a Turkish military electronics manufacturer"

Now what else can we find... We go to Nima's website we can view a recent post on him offering teaching courses on Delphi programming Language. After I saw this I went and viewed a recent PDF from TrendMicro on MuddyWater activity, coincidence...?

Looking deeper into some of the handles Nima uses I came across some forums that was talking about a some malware packers like Eigmaprotector (Uses for packing Delphi and Other Malware) and also talking about Hefaz is a packer he allegedly works on written in Delphi. He uses this on malware and it will allways contain Engima DLL which can also be found in some malware.

Here is a screenshot from Hybrid-Analysis of a MuddyWater GoogleUpdate.exe using the Eigmaprotector.

So this is a quick insight of what I've been up too mix with work related things. If anyone else has anything else interesting about MuddyWater or members behind it let me know.


Popular Posts