Recently, Israel claimed that the Islamic Republic regime attacked Haifa Technical University. The responsible Israeli officials sent us more information about this hack and wanted to expose it on our Telegram channel.
after verification by our group, we will share this information with you followers here.
The Muddy Water group is affiliated with the terrorists of the Ministry of Intelligence of the hated regime of the Islamic Republic. This group has also other names like Static Kitten, MERCURY, Earth Vetala, Seedworm, TEMP. Zagros
This cyber terrorist group has many activities in the field of CNE attacks throughout the Middle East. This group uses methods such as social engineering, phishing andusing vulnerabilities to gain access.
Some of the tools used by Muddy Water are PowerShower, PowerStallion and MuddyWater proxy.
In the recent hack against Haifa Technical University, for the first time this group used a cyber attack along with psychological warfare. In the framework of this cyber attack, many documents from this university were shared on the newly opened Telegram channel called Darkbit. In this cyber attack, two methods were used together:
First: CNE: This group wrote on its Telegram channel Darkbit that it has 4 terabytes of documents from the servers of Haifa Technical University.
Second: CNA: Extensive encryption on university computer systems with the aim of sabotaging daily university activities.
In most of this cyber attack, two main tools were used:
First:
Work tool on Windows system. A simple and standard tool. With symmetric AES and asymmetric RSA encryption. with String DARKBIT_ENCRYPTED_FILES to inform that the file is encrypted. Countdown from 10. With Mutex implementation, with the ability to perform multiple activities simultaneously in different THREADS. Blackmail tool for attacking Windows systems written in Go language and compiled by MinGW under the file name 8curse.exe.
Learn more about this tool:
MD5:
9880fae6551d1e9ee921f39751a6f3c0
SHA1:
30466ccd4ec7bcafb370510855da2cd631f74b7a
SHA256:
9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff
Second: Payload for blackmail (Darkbit). Special for working on linux and unix systems. After analyzing the code, it is clear that this tool is for attacking ESXI servers. This tool is compiled in C/C++ language and by GCC (4.4.7 20120313). This tool, like the first tool, is used for RSA and AES encryption. In the codes, the hackers put the names of the extensions of the files they wanted: Vmdk/Vswp/Vmsd/Vmsn. This tool uses ESXCLI for the purpose of monitoring the systems virtual machines in the network, and after that, by sending a command, they disable all the devices in the list.
Learn more about this tool:
MD5:
ad2c3054f9de589030269d12a9cbbeeb
SHA1:
9ed8db1620dac9efc78ebb4d209d3281c50e24da
SHA256:
0bb1d29ede51d86373e31485d0e24701558e50856722357372518edfb98265a1
In addition to this tool, hackers use other non-confidential tools such as:
– CLI tool (tacoscript.exe) to activate automation in systems
– Remote system management tools (rport.exe)
– MITER ATT&CK: Recon, Resource Dev, Init Access, Execution, Persistence, PE, Defense Evasion, Credentials Access, Discovery, Collection, C2, Exfiltration.
More technical information is available in the following file: IOCs
In addition, you can see more information about this group in Virus Total. https://www.virustotal.com/gui/file/9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff/detection
We will buy any information about the Darkbit group, their headquarters, their activities and projects, the names of their activists, their abilities, tools and the connection between Darkbit group and MuddyWater.
IOCs :
IP’s :
192.169.6.152
169.150.227.202
185.213.155.165
77.91.74.68
46.249.35.243
WebShell path
C:\Program Files\Microsoft\Exchange
Server\V15\FrontEnd\HttpProxy\owa\auth\15.2.1118\scripts\premium\flogon.js.aspx
C:\Program Files\Microsoft\Exchange
Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUISemiBold.eot.aspx
Yara
8curse.exe
rule darkbit_rans_cleartext{
strings:
$console_nomutex = "Exiting due to another instance (You can run with --
nomutex)"
$console_1 = "run on all without timeout counter"
$console_2 = "force not checking mutex"
$console_3 = "Just spread/No Encryption"
$console_4 = "force blacklisted computers"
condition:
uint16(0) == 0x5A4D and (
2 of them
)
}
rule darkbit_rans_config{
strings:
$field_strong_1 = "\"limitMB\": "
$field_strong_2 = "\"parts\": "
$field_strong_3 = "\"eachPart\": "
$field_weak_1 = "limitMB"
$field_weak_2 = "parts"
$field_weak_3 = "eachPart"
$ext = "Darkbit"
$extC = "DARKBIT"
$file_1 = "darkbit.jpg"
$file_2 = "recovery_darkbit.txt"
$ransom = "DARKBIT_ENCRYPTED_FILES"
condition:
uint16(0)==0x5A4D and (
all of ($field_weak*)
or 2 of ($field_strong*)
or (any of ($ext*) and any of ($file*))
or ($extC)
or $ransom
)
}
# ESXi.Darkbit
rule darkbit_linux {
strings:
$a1 = "DARKBIT" ascii wide nocase
$a2 = "RECOVERY_DARKBIT.txt" ascii wide nocase
$a3 = "- Encrypting" ascii wide
$a4 = "can't rename enc" ascii wide
$a5 = "can't write enc" ascii wide
$a6 = "Encryption Done" ascii wide
$a7 = "sleep time invalid format" ascii wide
$a8 = "number of process %d" ascii wide
$a9 = "sleep time: %ld" ascii wide
$a10 = "dabda-bt2as4dfa-294jfajks-qti9-bm3xu2" ascii wide
$a11 = "AB33BC51AFAC64D98226826E70B483593" ascii wide nocase
$a12 = "/vmfs time excludeVm" ascii wide nocase
$b1 = "esxcli --formatter=csv --formatparam=fields==\"WorldID,DisplayName\" vm process list" ascii wide
$b2 = "sed -n '1!p'" ascii wide
$b3 = "cut -d ',' -f1 | awk '{system(\"esxcli vm process kill -t=force -
w=\"$1)}'" ascii wide
$c1 = {
76 6D 78 [0-20]
76 6D 64 6B [0-20]
76 73 77 70 [0-20]
76 6D 73 64 [0-20]
76 6D 73 6E [0-20]
73 68 61 64 6F 77
}
condition:
$c1 or 1 of ($b*) or 3 of ($a*)
}
