# MuddyWater Back with DarkBit **[labs.k7computing.com/index.php/muddywater-back-with-darkbit/](https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/)** By Sudeep April 21, 2023 Recently, we came across a [tweet about DarkBit ransomware. An Iranian APT group,](https://twitter.com/h2jazi/status/1638923200527474691) named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. ## Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. ----- Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown [below. PrintBrm.exe is a windows inbuilt command line tool.](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj134237(v=ws.11)) Figure 3 – Shortcut File ``` cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HRUpdate.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe ``` Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike. ----- At the time of writing the blog, we were unable to get the exact DarkBit ransomware payload. So we are using another available sample that belonged to the same campaign. ## Analysis of Ransomware This DarkBit ransomware sample is written in GoLang. It contains command line arguments. Figure 5 – Ransomware Features It also contains an inbuilt configuration file as shown in Figure 6. ----- Figure 6 – InBuilt Config Further analysis revealed that they had obfuscated some dll names like advapi32.dll and functions like SystemFunction036. Figure 7- Obfuscation Its dynamically resolving API at this address. Malware authors tend to dynamically resolve API to avoid static detections. ----- Figure 8 – Dynamically Resolving API CreateMutexW API is being used to check if an instance of the malware is already running. As can be seen in Figure 5 previously, they are also using multithreading. As the customary prelude to file encryption, they are using vssadmin.exe to delete all the shadow copies. Figure 9 – Delete Shadow all [Here they are using SystemFunction036 (documented in MSDN as RtlGenRandom) to](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom) generate a random key as shown in Figure 10. ----- Figure 10 – SystemFunction036 SystemFunction036 is accessed multiple times in the code with varying buffer sizes passed to it. Figure 11 – Call To Dynamically Resolve API and Then SystemFunction036 Here we can see that the buffer size of 80 is made available for SystemFunction036. ----- Figure 12 – Encrypting Key Later-on, the key used for encrypting the files is itself encrypted and attached to the encrypted files. Figure 13 – EncryptionAlgorithm From Figure 13, we can see that It’s encrypting. It is likely using AES to encrypt the files, as strings related to the same functions can be found elsewhere in this same sample. FindFirstFileW, FindNextFileW are used to iterate through the file system, to find the appropriate file and then encrypt it. At that point it was observed that its writing file in chunks and not as a whole. For doing the same it’s using SetFilePointerEx API to move the file pointer to a specific address. ----- Figure 14 – SetFilePointerEx It’s then using the WriteFile API. Figure 15 – WriteFile All these functions are called one after another, till all the files are encrypted. After encrypting the file, the key is stored at the end of the file. ----- Figure 16 – Ransomware key The encrypted files are given ‘.darkbit’ extension and also a ransom note is dropped in the respective folders. Figure 17 – Ransomware Note ----- Figure 18 – Tweet on DarkBit MuddyWaters uses different types of attacks for initial access like phishing email campaigns, using tools like MimiKatz to break into the system, etc. In this case, MuddyWaters made use of Cobalt Strike to get initial access into the system. From the ransomware note, we figured out that it was a politically motivated attack. We at K7 Labs provide detection for DarkBit ransomware and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-todate to safeguard their devices. ## Indicators of Compromise (IOCs) **File Name** **Hash** **Detection Name** DarkBit.exe 9880FAE6551D1E9EE921F39751A6F3C0 Trojan (0058e3dd1) hr-update.iso 1219A8880DEBDD10D081195E27A2A016 Trojan (0001140e1) ### References [https://attack.mitre.org/groups/G0069/](https://attack.mitre.org/groups/G0069/) -----