@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.
Let's take a look! 🧐 👇👇
2/ First Etag(153): 🔟results.
First IP of interest: 👉164.132.237[.]67
If we now pivot on the SSH hash, we match on another IP:
👉3.6.222[.]144.
Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation...
3/ Teradici (now HP Anywhere) allows for remote access to machines from any PCoIP client. 💻⬅️🌐⬅️💻
Indicating that MuddyWater may also be using HP’s Anywhere/Teradici as well as SimpleHelp?🧐
4/ Using the hash presented by this IP you can find another 176 hosts on the internet:
👉http.html_hash:-1480707872
Searching for “ssl:Teradici” you find 2060 hosts!
HP Anywhere/Teradici is a remote desktop software: teradici.com, using PCoIP technology.
5/ Second IP of Interest:
👉164.132.237[.]65
Open port 10443 but no banner information...if we pivot off of that hash we return 36 results.
Looking at the first IP:
👉 44.202.249[.]7
It also has the default Sliver C2 port 31337 open, including SSL certificate settings:👇
Additionally IP 5.34.180[.]39 has a MetaSploit certificate on port 3790:
CN=MetasploitSelfSignedCA
7/ Third IP of interest: 137.74.131[.]29:443.
Has interesting header when pivoted from returns 17 results, first being a MetaSploit C2 - 164.132.237[.]79. This IP is hosted on the same ISP subnet as 3 previously reported MW C2’s by GIB. 🔥👉This IP hasn’t been identified as MW.
8/ This IP does share hostname:
👉6nc110821hdb[.]co
with 51.255.19[.]178 which is a SimpleHelp server attributed to MW.
👉IP: 137.74.131[.]24 is a MuddyWater IP address. The domain nc6jan20pol[.]co is shared across this and another IP.
9/ This IP was using the same Etag reported by GIB but now doesn’t return in that search, instead can still be found by the header or a hostname search.
10/ (Last one)
The Last IP of interest: 👉149.202.242[.]85. This IP is also running Metasploit with port 3790 open.
More evidence of change by MuddyWater to use MetaSploit.
Interesting changes (MetaSploit and Teradici) since the Group-IB report. Thanks for reading! 🙂
Virus Total shows lack of detections for Meterpreter indicating a possible unique fingerprint. Additionally, the most recent domain draws interest. The IP address is running a small number of services on ports: 22, 80 and 8080.
1⃣First Observation🧐
👉The hostname: fortiveme[.]net🌐
This domain was created on 10th October 2023. 16 days later, on 25thOctober 2023, the company #Fortive is posted as victim of Black Basta, appearing on their Data Leak Site. Coincidence?
@FalconFeedsio: