Threat Intel-Pivoting using Censys

Hunting malicious infrastructure: Muddy Water Cyberespionage Threat Actor from Iran 🇮🇷

Pivot

In this short blog, I will show you one practical example of how you can pivot from one node to another and reveal Threat Actors' cluster infrastructure.

First things first: Who is Muddy Water?

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).

MuddyWater

MuddyWater (Threat Actor)

Let's start!

I saw this tweet from Simon and I have decided to find out a bit more what else we can find from the first node.

First node — 146.70.149[.]61:8008 is crucial so we can use it as our starting point.

Looks like is running SimpleHelp software on HTTP 8008.

Simple Help tool attributed to Muddy Water

MuddyWater has been observed using the legitimate SimpleHelp remote support software tool to achieve persistence on the victim's device.

The challenge is to find out Muddy Water SimpleHelp infrastructure only (SimpleHelp is also used for genuine purposes).

The first step is to asses the first node with Censys.

146.70.149.61

Pay attention to the characteristics like port number, patterns, tool name, hosting, and certs.

First pivot: SSH

Now let's check the SSH key fingerprinting running on SSH 22.

services.ssh.server_host_key.fingerprint_sha2568d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd

https://search.censys.io/search?q=services.ssh.server_host_key.fingerprint_sha256%3D%228d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd%22&resource=hosts

SSH Key

Second pivot: Hosting provider

https://search.censys.io/search?q=services.ssh.server_host_key.fingerprint_sha256%3D%228d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd%22&resource=hosts

(services.ssh.server_host_key.fingerprint_sha256=”8d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd”) and autonomous_system.name=`M247`

and pivot to M247

Pivoting to M247

and now we are down from 108 to 76 hosts and now we know that the SSH key was deployed on 76 hosts in M247.

Pivoting to M247

and now we need to go back to the SimpeHelp software to improve our hunting rules.

Third pivot: SimpleHelp software data/strings

SimpleHelp software

(services.ssh.server_host_key.fingerprint_sha256=”8d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd”) and autonomous_system.name=`M247` and SimpleHelp

https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=%28services.ssh.server_host_key.fingerprint_sha256%3D%228d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd%22%29+and+autonomous_system.name%3D%60M247%60+and++SimpleHelp+%E2%86%A9+

Now looks like everything is connected (same SSH key, similar port patterns, certs, hosting provider).

It's a Match!

Short research summary

Pivots:

• First pivot: SSH fingerprinting
• Second pivot: Hosting provider (M247/AS9009)
• Third pivot: SimpleHelp software data/string

Patterns:

• Ports/Services: SSH (22, 222) and HTTP (80,443,8008)
• Operating Systems (Ubuntu Linux 18.04)

IOC’s:

• 37.120.237.248
• 37.120.237.204
• 146.70.78.45
• 146.70.124.102
• 146.70.149.61

https://search.censys.io/search/report?resource=hosts&q=%28services.ssh.server_host_key.fingerprint_sha256%3D%228d1798c27b2381fcbffb19abb5bac757052f4fa9da8b246969392c7f4a6b34fd%22%29+and+autonomous_system.name%3D%60M247%60+and++SimpleHelp+%E2%86%A9+&virtual_hosts=EXCLUDE&field=ip&num_buckets=50

Summary:

Looks like Muddy Water deployed C2 infrastructure (SimpleHelp) using the same SSH key on M247/AS9009 and followed the same deployment rules.

Results

Ref:

https://www.group-ib.com/blog/muddywater-infrastructure/

Dark Web Profile: MuddyWater APT Group - SOCRadar

APT group MuddyWater targets Middle East and Europe