A MuddyWater Cyber Spy

This blog post is going to be about the adventure I had doing some research on MuddyWater APT. It starts off when on Telegram a bunch of new leaks were coming out involving APT34 OilRig and MuddyWater; Through the Lab Dookhtegan and GreenLeakers chat groups. The Tools and the data interested me into looking into who may be involved. I started doing some research around to who might be involved in this group when I came across a MuddyWater Macro Document. While doing some analysis on the document I came across something interesting..

 

We see here that the Author of this document is a Windows User "Gladiator_CRK" "Nima" So I went ahead and started googling around "Gladiator_CRK" and came up with some interesting things. This Youtube video here from 2018 https://www.youtube.com/watch?v=wkWiFzipbpw 


This shows a PoC bypassing Kaspersky Anti-Virus with ascii of MUDDYWATER. Which is pretty interesting since the Youtube account is also named muddy water and when we scroll down we see a comment with someone named "Nima Nikjoo".



Also when I was looking through the recent APT34 leaks through telegram I came across something interesting in the MuddyC2 Panel; In the bottom left corner if we zoom in just enough.. We can see "By Gladiator"






Now this get's interesting so I go ahead and take that name and throw it in Google which gives us some nice output. 
I go ahead and view the first link which is a Twitter account made by Nima, Which ended up when I logged in was following me on Twitter lol...



We engaged in a talk about some things, Nima then gave me his Telegram to talk further. I found something interesting after our talk was done and once I added him he had a Russian/Serbian username which I thought was weird and decided to translate it.


Well.. Now I'm really starting to thing we have a good guess that Gladiator_CRK is Nima Nikjoo. So let's take a look at some more information I was able to gather, We have some python code that generates a macro embedded in PowerShell from MuddyWater.


There are two hashes labled as "HashKey_1"and "HashKey_2" If we decrypt these hashes this is what we get.
dd239423ce826bfb1a26478ad205cfe9  gladiator_crd
e495a76dc36655e87d0e855af3966f40  nima.n


Interesting the output for both of those hashes are the same names we have come across so far. Let's take a look at another example.

Here we have the PoC code(Not Public) I was able to obtain through other means and this shows "#GMER EDITION from N.N.T" which I thought was interesting for initials, So I wanted to find out what this means.


I found out that Nima has his own website @ https://www.vsec.ir and of course we go and do some information gathering on this and we come up with domain:  vsec.ir
ascii:  vsec.ir
remarks:  (Domain Holder) Nima NikjooyeTabrizi
remarks:  (Domain Holder Address) No.988, rasani Sq East baijan, IR (edited)

Nima Nikjoo Tabrizi => N.N.T

While looking though more information online I came across a blog post about Iranians Behind StoneDrill and NewsBeef Malware @ https://irancybernews.org/news/318/ if we scroll down through the article we find something else, We see that Nima looks like he has some history as well before MuddyWater.
 

I also found out today another blog that looks like it's been Google cached but shows a good insight into some more information with Nima included. 

"Muddy waters: how MuddyWater hackers attacked a Turkish military electronics manufacturer"



Now what else can we find... We go to Nima's website we can view a recent post on him offering teaching courses on Delphi programming Language. After I saw this I went and viewed a recent PDF from TrendMicro on MuddyWater activity, coincidence...?
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf








Looking deeper into some of the handles Nima uses I came across some forums that was talking about a some malware packers like Eigmaprotector (Uses for packing Delphi and Other Malware) and also talking about Hefaz is a packer he allegedly works on written in Delphi. He uses this on malware and it will allways contain Engima DLL which can also be found in some malware.








Here is a screenshot from Hybrid-Analysis of a MuddyWater GoogleUpdate.exe using the Eigmaprotector.






So this is a quick insight of what I've been up too mix with work related things. If anyone else has anything else interesting about MuddyWater or members behind it let me know.

0xffff0800@jabber.ccc.de
0xffff0800@protonmail.com
http://0xffff0800.ru

Popular Posts