The Dark Evolution: MuddyWater’s New Tactics and the Manticore Alliance
MuddyWater, the Iranian state-sponsored APT group also known as MERCURY, Mango Sandstorm, Seedworm, and Static Kitten, has been making waves since 2017, primarily targeting Middle Eastern nations but now expanding to India and the USA. Under the same Iranian Ministry of Intelligence and Security (MOIS) umbrella, two more APT groups, Scarred Manticore and Void Manticore, emerged in 2023. Scarred Manticore specializes in espionage, gaining initial access through the Liontail malware framework, while Void Manticore focuses on destructive campaigns, utilizing manual file deletion and custom wipers like BiBi.
MuddyWater’s modus operandi involves spear-phishing to deploy backdoors like PowGoop, POWERSTATS, and Mori, often using legitimate file-sharing services for distribution. In 2023, it shifted towards Remote Monitoring and Management (RMM) tools for interactive sessions and increased its focus on Israeli companies. Its evolving C2 infrastructure, from leaked frameworks to the new muddyc2Go and DarkBeatC2, demonstrates adaptability.
Mid-2024 saw another shift with the introduction of the custom “bugsleep” backdoor, injected into browsers or applications like OneDrive for covert control and data exfiltration. This backdoor employs EDR evasion techniques by manipulating process signature and dynamic code policies.
The recent alliance between Scarred Manticore and Void Manticore, combining espionage and destructive capabilities, raises concerns about the potential for shorter, more impactful campaigns.
In this presentation we will scrutinize the upgraded “bugsleep” backdoor, its EDR evasion mechanisms, and the evolution of MuddyWater’s C2 frameworks, whilst also shedding light on the TTPs and effective collaborations of the deadly Manticore duo. Given MuddyWater’s effectiveness in espionage and its existing interest in Israeli targets, we will also explore whether it might collaborate with or share tools with the other MOIS APT groups to enhance their combined destructive potential.
Lomada Suresh Reddy – K7 Computing
Suresh Reddy completed his Bachelor’s degree in Computer Science and Engineering from Vignan Institute of Technology and Science in 2022. He began his professional journey as a Threat Researcher at K7 Labs, his primary job responsibilities involve reversing and detecting various types of malware at multiple layers and as well as staying up-to-date with the latest trends. Suresh Reddy is passionate about malware analysis and reverse engineering on Windows and MacOS files, and his research findings are published on the K7 Labs technical blog page. During his leisure time, he enjoys playing cricket, writing stories and travelling with his friends.
Uma Madasamy – K7 Computing
Uma completed her Master’s degree in Computer Science and Engineering from Anna University in 2021. She started her career as Threat Researcher at K7Labs, her main role involves detecting and reversing different types of malware at various layers, in addition to staying informed about the latest industry trends. She has a strong passion for cybersecurity and safeguarding the digital realm. Also, she has written and published various technical blogs on K7 Labs technical blog page.