MuddyWater Ransomware Operator targets European Gaming Sector
A Russian ransomware operator is likely targeting an unnamed entity in gaming and gambling sector in Europe and Central America by repurposing custom tools developed by APT hacking group called MuddyWater.
What is MuddyWater ransomware?
MuddyWater ransomware is a Iran-based hacking group that targets organizations in Middle Eastern region. However, countries like India and the USA are also found being targeted by this threat actor. MuddyWater ransomware operators are found using a slowly evolving PowerShell-based backdoor that is called as ‘POWERSTATS’.
How is MuddyWater ransomware exploits a network?
Researchers from Israeli incident response firm Security Jones said in a report that there is a unusual attack chain involved that is abusing stolen credentials to get unauthorized access to the targets network, which finally leads to the deployment of Cobalt Strike payloads on infected assets. However, it seems the infection was controlled at some stage, but suspected to be a ransomware attack.
The breach was found to have happened in Feb 2022, with MuddyWater ransomware gang exploiting tools such as ADFind, LaZagne, SoftPerfect and NetScan. Another attack vector is a AccountRestore executable to brute-force administrator credentials and a upgraded version of reverse tunneling tool called Ligolo.
The modify variant is a Golang binary that is designed to expose internal assets from a compromised network to the in a secure and stealthy manner. With these upgrades the malware removes the need to use command-line parameters and brings multiple checks to avoid running multiple instances.
The Ligolo is a primary tool of choice used by the MuddyWater ransomware, by employing Ligolo fork has raised the possibility that threat actors are using tools from other ransomware groups and replacing the signature with their own to confuse attribution. One of the deployed binaries has hard-coded references in Russia.
“The strategy used by threat actors to access and pivot over the victim’s infrastructure lets us see a persistent, sophisticated enemy with some programming skills, red teaming experience and a clear objective in mind, which is far from the regular script kiddie profile,” the researchers said.
“The fact that the entry point for this intrusion was a set of compromised credentials reassures the importance of applying additional access controls for all the different assets in any organization.”
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.
You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.