MuddyWater leak (OnGoing)

2019, Apr 27    
Followed by OilRig/APT32/MOIS leak I’ve reported about here. A new telegram channel emerged called “افشاگران سبز Green Leakers”.

The actor (which I assume is the same one behind the OilRig leak) claims to own information regarding another Iranian Cyber Attack group dubbed MuddyWater which they claim are also part of MOIS.

Today 27/4/2019 the actor have released photos allegedly from MuddyWater compromised command and control servers.

 Will keep update this post as the investigation develops.

Update:

Looking at the accounts of the leakers I can notice some important information.
The logo and name behind the recent Muddywater leaks suggest that the people behind it are related to Iran opposition forces part of the Green Movement.  It also gives a better understanding why the previous name was sealed lips.  Of course it can easily be a false flag as well.

List of possible victims (from the leaked photos)

Intrusion notification for some of the allegedly breached organization have been submitted.

KORGLU     213.154.0.73   Azerbaijan                        
KORGLU     213.154.0.69   Azerbaijan                        
KORGLU     213.154.0.90   Azerbaijan                        
KORGLU     213.154.0.100   Azerbaijan                        
MECUIT-EDU 82.178.21.160   Oman                              
MECUIT-EDU 82.178.21.158   Oman                              
MECUIT-EDU 82.178.21.222   Oman                              
Quantum 91.208.48.58   Lebanon                            
Quantum 91.208.48.55   Lebanon                            
Quantum 91.208.48.191   Lebanon                            
Quantum 91.208.48.29   Lebanon                        
ECONOMY     212.28.244.80   Lebanon              
ECONOMY     212.28.244.132 Lebanon                        
ECONOMY     212.28.244.225 Lebanon                    
ECONOMY     212.28.244.76   Lebanon                
INDS       93.185.92.69   Lebanon                
INDS       93.185.92.69   Lebanon                
EAMANA     78.93.58.210   Saudi Arabia          
EAMANA     78.93.58.200   Saudi Arabia            
EAMANA     78.93.58.160   Saudi Arabia        
MCI         212.119.82.102 Saudi Arabia              
MCI         212.119.82.22   Saudi Arabia                    
MCI         212.119.82.22   Saudi Arabia          
MOH         78.93.237.99   Saudi Arabia          
MOH         78.93.237.222   Saudi Arabia                  
MOH         78.93.237.222   Saudi Arabia                
NVSVUC     185.19.135.99   Denmark                        
NVSVUC     185.19.135.77   Denmark                    
HARLI       194.90.202.70   Israel                    
HARLI       194.90.203.41   Israel                
CJECSP     217.17.128.10   Netherlands                    
OHECSP     193.194.139.21 Switzerland                
OHECSP     193.194.139.59 Switzerland                        
state.gov   67.160.47.246   United state  

Update 7th of May:

Thanks to @InfoSecAndBeyond for the tip.

In a new telegram channel (which might be fake) the alleged “lips” leaker group have put up MuddyWater C2 access up for sale by sharing two onion links and a few screenshots. Noticeable is that the new telegram channel has no Parsi language at all unlike the ones before.

Links:

hxxp://yrfpbzadk6gsb5hudpffn4l44j4jxygiojr2a5cs5jfuzaknggja5zid[.]onion/

hxxp://4vq5rislrtskdth2nlxp3agidmqn474p3thztsvgimr2tbbeqr33p2yd[.]onion/

Update - 6/24:

A new leak of source code code related to MuddyWater was released and exposore of details of another operator “Nima Nikjoo”.
The leakers are basing their findings on TrendMicro research: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf
photo_2019-06-24_16-27-03-1

Annotation-2019-06-24-184435

The source code is provided as usual:
https://s3-eu-west-1.amazonaws.com/malware-research.org/blogposts/apt34Leak/muddyc3_2.zip
Pass: VpOUr6H48tG7rhMdJxg!Ad0FUF