[Customer Stories](https://www.fireeye.com/customers.html) [Blogs](https://www.fireeye.com/blog.html)  


# THE MUTTER BACKDOOR: OPERATION BEEBUS WITH NEW TARGETS

[April 17, 2013 | by James T. Bennett | Threat Research, Advanced Malware, Targeted Attack](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-james-t-bennett)

FireEye Labs has observed a series of related attacks against a dozen organizations in the aerospace, defense, and
telecommunications industries as well as government agencies located in the United States and India which have
been occurring at least as early as December of 2011. In at least one case, a decoy document included in the attack
contained content that focused on Pakistan military advancements in unmanned vehicle, or “drone” technology.

Technically, these attacks exploited previously discovered vulnerabilities via document files delivered by email in
order to plant a previously unknown backdoor onto victim systems. The malware used in these attacks employs a
number of interesting techniques to “hide in plain sight” and to evade dynamic malware analysis systems. Similar to,
though not based on the attacks we saw in South Korea, the malware tries to stay inactive as long as possible to
evade dynamic analysis detection methods.

[We have linked these attacks back to Operation Beebus through the C&C infrastructure along with the similar targets](https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.html)
and timeline observed. Although some of the targets of these attacks overlapped with Beebus targets, there were
many new targets discovered including some in India. As we uncover more targets related to these attacks, we are
seeing a common link between them: unmanned vehicles, also known as “drones”. The set of targets cover all
aspects of unmanned vehicles, land, air, and sea, from research to design to manufacturing of the vehicles and their
various subsystems. Other related malware have been discovered through the same C&C infrastructure that have a
similar set of targets, that when included bring the total number of targets to more than 20 as of this writing. These
targets include some in academia which have received military funding for their research projects relating to
unmanned vehicles.

## INFILTRATION

All of the attacks we have observed occurred through document exploits attacking known vulnerabilities. We have
seen RTF and XLS files used for delivery. Searching the internet for the author and document names yields
information regarding South Asia politics. Although all of the document exploits we have analyzed drop a decoy
document, most of them are either empty or filled with unreadable data with two exceptions.


-----

One is an article about Pakistan’s indigenous UAV industry which is attributed to author Aditi Malhotra, an Indian
writer and Associate Fellow at the Centre for Land Warfare Studies (CLAWS) in New Delhi. Although we are not sure
this particular work is actually hers, we did find a reference to a similarly named article “Pakistan’s UAV programme:
Ambitious, with some friendly help.” Unfortunately, this document was not available. Other works of hers on a similar
note include “India’s Silence on Chinese Incursions” and “China and Pakistan: Dangerous Liaisons.”

The other decoy document is contact info for an American with a military provided email address from Joint Base
Andrews in Maryland, but with a physical address in Pakistan titled “Family Planning Association of Base (FPAB).” It
looks like they took the “Family Planning Association of Bangladesh” and combined it with “Joint Base Andrews.” The
title of the email field is “FPAP Email”, “FPAP” could stand for “Family Planning Association of Pakistan.” Ultimately,
we could make no sense from this information.

## THE MUTTER BACKDOOR

Two different versions of the same backdoor were used in all of these attacks. In every case we have found, the
main component is a DLL dropped by an executable compiled minutes after the DLL. The dropper shares the same
decoding functions as the DLL and performs some modifications on the DLL that will be described later. There was
one unique case we found where the initial dropper was a self­extracting archive that utilizes Visual Basic and batch
scripts to download and install the DLL instead of extracting it from a resource.

Mutter is HTTP proxy aware, and attempts to determine if a proxy is required and what the proxy details are if


-----

“i”, which is set to an encoded representation of a string that follows this format:

<Mutter version#>­<campaign marker?>­<victim hostname>­<victim IP address>

We are not certain about the second part of this string, it may be either a campaign marker or an extension of the
version number. In all our cases, it is set to either “SN0” or “SN1." Actual strings are shared in the appendix
information at the end of this blog.

This HTTP request pictured in the screenshot is from the older version of Mutter. The newer versions of Mutter have
a very similar HTTP request, but with the Host and Connection headers swapped.

The response string is decoded and parsed for the following commands:

“m”: executes a shell command

“u”: uploads a file to the victim (downloads a file from the victim’s perspective)

“d”: downloads a file to the attacker (uploads a file from the victim’s perspective)

“R”: removes the auto­run registry value

These commands are referenced in the code in this order, and when said aloud it sounds like “mutter”, hence the
name chosen for the malware. In the earlier version of this backdoor, the “d” command was referenced, but the code
had not been implemented yet. In both versions, another command string “f” appears along with the others, but is not
referenced in the code. This perhaps indicates a future feature to be added.

This malware employs several interesting evasion techniques. For starters, it employs several “hide in plain sight”
techniques common to malware used in targeted attacks. It specifies fake properties, pretending to be Google or
Microsoft.


-----

This brings us to the next “hide in plain sight” tactic we noticed. Observe the size of the file above. It’s a whopping 41
megabytes. With rare exception, malware typically have a small size usually no larger than a few hundred kilobytes.
When an investigator comes across a file megabytes in size, he may be discouraged from taking a closer look.
Interestingly, the original size of this particular DLL is around 160 kilobytes, although the PE headers already indicate
its future size as shown below. The dropper will decode this DLL from its resource section, drop it onto the victim’s
system, and proceed to fill its resource section with randomly generated data. This has another useful side effect of
giving each DLL a unique hash, making it more difficult to identify.


-----

In addition to these hiding techniques, this malware also appears to employ techniques to possibly evade dynamic
malware analysis systems. This has been an ongoing trend in malware development that we and others have
observed several times in past. The malware author will add code to delay the execution of the important
functionality for some period of time with the idea being that if the malware stalls for long enough, the dynamic
malware analysis system will give up on it and pass it off as benign. This malware has two routines that we could find
no other purpose than for such an evasion.

One routine is a function that simply runs a series of loops, incrementing a local variable over and over, thousands of
times. It ultimately disregards the final value of this variable, meaning that the function serves no purpose. This
function is called many times throughout the rest of the code. It may have been implemented for the purpose of
wasting time.

Another routine seems to have a similar goal, but with a different approach. This time, a loop is implemented with a
call to sleep for a short time. This loop occurs many times, and each time it will also allocate a chunk of memory on
the heap, performing math operations on it and printing it to the console over and over again. Keep in mind that this
memory is not initialized to any value and is not used for anything later in the code, it is essentially junk memory. This
seems to be another means of wasting time.

We detect this malware as Backdoor.APT.NS01.


-----

Most of the domains registered for C&C use in this campaign were done so through the free dynamic DNS Provider
ChangeIP.com. Dynamic DNS is a popular option for domain registration since it is free and provides a convenient
level of anonymity. Looking at passive DNS records for other domains pointing to the IP addresses used to host the
C&C services turned up many other related domains. Various subdomains of the domain winsupdate.com have
pointed to several IPs pointed to by the Mutter domains. This is interesting because this is the name of the folder
created by Mutter on victims’ systems. Furthermore, this domain is not a publicly available dynamic DNS provider
and the email address used to register this domain is binalakshminp@yahoo.com. We cannot be certain, but
this name could be in reference to Binalakshmi Nepram, a writer­activist born in Manipur India who is fighting for
disarmament. This fits the theme we have observed from other clues left behind in decoy documents. Another
domain that is indirectly linked is agfire.com with this interesting registration information.

Agni is the Hindu god of fire. Notice the combination of India and China references here. The email address used to
register this domain was also referenced in a Chinese developer forum, but nothing else interesting was discovered
about it.

The IP addresses hosting the C&C services are scattered all over the world and are believed to be compromised
hosts.

## ATTACKERS, TARGETS, AND TIMELINE


-----

Operation Beebus. This link was made through finding several overlapping IP addresses used by Mutter and Beebus
such as the following.

The theme of these attacks appears to be South Asia politics. The hints scattered throughout the documents and
domain registrant information were laid on pretty thick which is something be wary of. The only legible, sensible
decoy document observed so far is revealing of the interests of at least one of the targets of this campaign: namely
the military threat of Pakistan against India and its growing relationships with other countries including China. The
particular topic of this decoy document also appears to be a common link between most of the targets we have seen:
unmanned vehicles.

The timeline below outlines the events specific to Mutter that we had visibility into. This campaign is still ongoing with
Mutter callbacks being made to this day.


-----

## APPENDIX

### Documents


**Exploit Document MD5:** b5f4a9aac67b53762ed98fafd067c803


**Exploit:** CVE­2012­0158


**Exploit Document Filename:** NA


**Decoy Document Title:** Pakistan’s Indigenous UAV industry


**Decoy Document Author:** GOPAL GURUNG


**Decoy Document Last Modified:** Aug 2nd 2010


**First Seen:** Aug 27th 2012


**Exploit Document MD5:** 92643bfa4121f1960c43c78a3d53568b


**Exploit:** CVE­2008­3005


**Exploit Document Filename:** 2012_3_12.xls


**Decoy Document Title:** NA


-----

**Decoy Document Last Modified:** Jan 26th 2003


**First Seen:** Mar 22nd 2012


**Exploit Document MD5:** 4d5a235048e94579aab0062057296186


**Exploit:** CVE­2010­3333


**Exploit Document Filename:** Change of Address.doc


**Decoy Document Title:** Tele: 2619 4428


**Decoy Document Author:** kdly


**Decoy Document Last Modified:** Dec 6th 2011


**First Seen:** Dec 7th 2011


**Exploit Document MD5:** 589f10e2efdd98bfbdc34f247b6a347f


**Exploit:** CVE­2010­3333


**Exploit Document Filename:** Urgent message.doc


**Decoy Document Title:** NA


**Decoy Document Author:** Administrator


**Decoy Document Last Modified:** Feb 2nd 2003


**First Seen:** Mar 2nd 2012


**Exploit Document MD5:** fd9777c90abb4b758b4aff29cfd68b98


**Exploit:** CVE­2012­0158


**Exploit Document Filename:** NA


**Decoy Document Title:** Tariq Masud


**Decoy Document Author:** Haroon­ur­Rashid/Administrator


**Decoy Document Last Modified:** Sept 11 2012


**First Seen:**


### Malware


**Dropper Filename:** update.exe


**Dropper MD5:** 725fc0d7a8e7b9e01a83111619744b6f


**DLL Filename:** msdsp.dll


**Mutex:** 654234576804d


-----

**Compile Time:** Aug 28th 2012


**Dropper Filename:** igfxtray.exe


**Dropper MD5:** 681a014e9d221c1003c54a2a9a1d9df8


**DLL Filename:** winsups.dll


**Mutex:** mqe45tex13fw14op0


**C&C Host:** http.4pu.com:80


**Decoded 'i' Value:** V0.7­SN0­<hostname>h;­<IP address>


**Compile Time:** Aug 28th 2012


**Dropper Filename:** NA


**Dropper MD5:** 6aac76fc8309e29ea8a7afea48ae9b29


**DLL Filename:** msdsp.dll


**Mutex:** 654234576804d


**C&C Host:** oracledata.ns01.us:80


**Decoded 'i' Value:** V0.9.6X­SN1­<hostname>­<IP address>


**Compile Time:** Aug 12th 2012


**Dropper Filename:** ctfmon.exe


**Dropper MD5:** d5640ae049779bbb068eff08616adb95


**DLL Filename:** winsups.dll


**Mutex:** mqe45tex13fw14op0


**C&C Host:** mydns.dns2.us:443


**Decoded 'i' Value:** V0.7­SN0­<hostname>­<IP address>


**Compile Time:** Aug 2nd 2010


**Dropper Filename:** igfxtray.exe


**Dropper MD5:** 681a014e9d221c1003c54a2a9a1d9df8


**DLL Filename:** winsups.dll


**Mutex:** mqe45tex13fw14op0


**C&C Host:** http.4pu.com:80


**Decoded 'i' Value:** V0.7­SN0­<hostname>­<IP address>


**Compile Time:** Aug 2nd 2010


**Dropper Filename:** igfxpers exe


-----

**DLL Filename:** msdsp.dll


**Mutex:** NA


**C&C Host:** NA


**Decoded 'i' Value:** NA


**Compile Time:**


Thanks to Darien Kindlund for his assistance in research.

[This entry was posted on Wed Apr 17 15:49:57 EDT 2013 and filed under Advanced Malware, Blog, James T.](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-threat-research/threat-research/malware-research)
[Bennett, Targeted Attack and Threat Research.](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-threat-research/threat-research/targeted-attack)

## SIGN UP FOR 
 EMAIL UPDATES

First Name Last Name

Email Address

**Executive Perspective Blog**

**Threat Research Blog**

**Products and Services Blog**

Subscribe

[Products](https://www.fireeye.com/products.html)

[Solutions](https://www.fireeye.com/solutions.html)

[Mandiant Consulting](https://www.fireeye.com/services.html)

[Current Threats](https://www.fireeye.com/current-threats.html)

[Partners](https://www.fireeye.com/partners.html)

[Support](https://www.fireeye.com/support.html)


-----

[Careers](https://www.fireeye.com/company/jobs.html)

[Press Releases](https://www.fireeye.com/company/press-releases.html)

[Webinars](https://www.fireeye.com/company/webinars.html)

[Events](https://www.fireeye.com/company/events.html)

[Investor Relations](http://investors.fireeye.com/)

[Incident?](https://www.fireeye.com/company/incident-response.html)

[Contact Us](https://www.fireeye.com/company/contact-us.html)

[Communication Preferences](https://www2.fireeye.com/manage-your-preferences.html)

[Report Security Issue](https://www.fireeye.com/company/security.html)

[Supplier Documents](https://www.fireeye.com/company/supplier.html)

[Legal Documentation](https://www.fireeye.com/company/legal.html)


##       


[LinkedIn](https://www.linkedin.com/company/fireeye)

[Twitter](https://twitter.com/fireeye)

[Facebook](https://www.facebook.com/FireEye)

[Google+](https://plus.google.com/+Fireeye/posts)

[YouTube](https://www.youtube.com/user/FireEyeInc)

[Podcast](https://itunes.apple.com/us/podcast/eye-on-security/id1073779629?mt=2)

[Glassdoor](http://www.glassdoor.com/Overview/Working-at-FireEye-EI_IE235161.11,18.htm)


**Contact Us:**
877­FIREEYE (877­347­3393)

Copyright © 2016 FireEye, Inc. All rights reserved.

[Privacy & Cookies Policy | Safe Harbor](https://www.fireeye.com/company/privacy.html)


-----