EXECUTIVE SUMMARY
A cyber espionage operation has been linked to the Iranian Ministry of Intelligence and Security (MOIS) group, MuddyWater. This campaign, dubbed "ChainShell", targets the defence, aerospace, energy, and government sectors, particularly in Israel, Turkey, Saudi Arabia, and the West. The attackers aim to steal sensitive data and disrupt operations, utilising a commercially developed malware-as-a-service (MaaS) platform, TAG-150 CastleRAT, to achieve their goals.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A cyber espionage operation has been linked to the Iranian Ministry of Intelligence and Security (MOIS) group, MuddyWater. This campaign, dubbed "ChainShell", targets the defence, aerospace, energy, and government sectors, particularly in Israel, Turkey, Saudi Arabia, and the West. The attackers aim to steal sensitive data and disrupt operations, utilising a commercially developed malware-as-a-service (MaaS) platform, TAG-150 CastleRAT, to achieve their goals.[emaillocker id="1283"]
MuddyWater operates by deploying a PowerShell script, `reset.ps1`, which installs Node.js and deploys the ChainShell malware, a Node.js-based agent that resolves its C2 from an Ethereum smart contract via 10 RPC providers. The agent communicates with a websocket, with all communications AES-256-CBC encrypted. The ChainShell malware is a thin execution shell, with the server sending JavaScript via `new Function()` and the agent executing and returning results via `serverSend()`.
All capabilities are pushed server-side, with the agent itself having no built-in stealer, keylogger, or shell. The adoption of a Russian criminal MaaS by an Iranian state actor has significant implications for defenders. Organisations targeted by MuddyWater now face threats that combine state-level targeting with commercially developed offensive tools. The Russian origin of the tooling means that initial triage may misattribute intrusions to Russian cybercrime rather than state espionage, prompting a different response. MuddyWater's use of commercially developed MaaS platforms allows them to quickly access capabilities that would otherwise take time to set up and develop in-house.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Credential Access | T1555.004 | Credentials from Password Stores | Credentials from Web Browsers |
| Defense Evasion | T1564.003 | Hide Artifacts | Hidden Window |
| Command and Control | T1102.003 | Web Service | Dead Drop Resolver |
| Command and Control | T1573.002 | Encrypted Channel | Asymmetric Cryptography |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
REFERENCES:
The reports contain further technical details:
https://cybersecuritynews.com/muddywater-turns-to-russian-malware-as-a-service/
https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/