Boggy Serpens Threat Assessment

Key Takeaways

• Boggy Serpens (MuddyWater) targets critical infrastructure and diplomatic entities using trusted relationship compromises via hijacked accounts.
• The group employs a diverse, evolving toolset including Rust-based backdoors (BlackBeard, LampoRAT) and custom HTTP/UDP backdoors (Nuso, UDPGangster).
• Indicators such as emoji usage in command dispatchers suggest the threat actor is leveraging generative AI to accelerate malware development.
• Attackers utilize a custom Python-based web orchestration platform for automated mass email delivery.
• Evasion techniques include VBA macro brute-force stalling, drop-rename execution workflows, and process hollowing.

Affected Systems

• Windows
• Microsoft Office (Word, Excel)

Attack Chain

The attack begins with spear-phishing emails sent from hijacked internal accounts, delivering blurred Microsoft Office documents that require users to enable macros. Once enabled, VBA macros execute a drop-rename workflow or use process hollowing to deploy intermediate loaders. These loaders decrypt and execute final payloads such as the Rust-based BlackBeard backdoor, LampoRAT, or UDPGangster. The malware establishes persistence via custom file associations or startup folders and communicates with C2 servers using Telegram APIs, UDP traffic, or HTTP status codes.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Cortex XDR, XSIAM

Palo Alto Networks provides detection coverage through Cortex XDR and XSIAM Behavioral Threat Protection, which identifies malicious macro activity, drop-and-execute workflows, and process injection.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the drop-rename execution pattern, process hollowing (RunPE), and abnormal macro behaviors like spawning command shells or executing WMI calls. Network Visibility: Medium — C2 traffic blends with legitimate Telegram API traffic or uses standard HTTP status codes, making network detection challenging without deep packet inspection, though custom HTTP headers (e.g., X-Computer-Name) provide reliable signatures. Detection Difficulty: Moderate — While initial access uses trusted accounts to bypass email filters, the endpoint behaviors (macros dropping executables, process hollowing, custom registry extensions) are well-known and detectable by modern EDRs.

Required Log Sources

• Process Creation (Event ID 4688)
• File Creation (Event ID 11)
• Registry Value Set (Event ID 13)
• Network Connection (Event ID 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Microsoft Office applications dropping files with .txt or .log extensions that are immediately renamed to .exe.	File Creation, File Rename	Execution	Low
Search for HTTP traffic containing custom headers like X-Computer-Name, X-Username, or X-Antivirus-Name.	Network Traffic, Proxy Logs	Command and Control	Low
Identify the creation of unusual file extension associations in the registry, specifically targeting the .wdlp extension.	Registry Modifications	Persistence	Low
Monitor for cmd.exe executions with the specific argument string 'cmd.exe /e:ON /v:OFF /d /c'.	Process Creation	Execution	Medium
Detect process hollowing by looking for processes launched in a suspended state followed by memory modification and thread resumption.	API Calls, Process Creation	Defense Evasion	Medium

Control Gaps

• Reputation-based email filtering (bypassed via hijacked accounts)
• Basic AV (bypassed via process hollowing and memory-safe languages)

Key Behavioral Indicators

• Office applications dropping and renaming files
• Process hollowing into legitimate processes
• Custom HTTP headers in outbound traffic
• Creation of .wdlp registry keys

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and domains at the perimeter.
• Search endpoint telemetry for the presence of 'novaservice.exe', 'WebDeepPlayer.scr', or files with the '.wdlp' extension.

Infrastructure Hardening

• Implement strict macro execution policies, such as blocking macros originating from the internet.
• Enforce sender identity checks and monitor for anomalous internal email forwarding or mass mailing.

User Protection

• Deploy EDR solutions with behavioral monitoring to catch process injection and drop-rename workflows.
• Ensure endpoint protection blocks Office applications from creating executable files.

Security Awareness

• Train users to be skeptical of 'Enable Content' prompts, even from known internal or trusted external contacts.
• Educate employees on the risks of blurred document lures and unexpected file attachments.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1055.012 - Process Injection: Process Hollowing
• T1036.003 - Masquerading: Rename System Utilities
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1071.001 - Application Layer Protocol: Web Protocols
• T1095 - Non-Application Layer Protocol
• T1082 - System Information Discovery

Additional IOCs

• Ips:
  • 64[.]7[.]198[.]12 - Phoenix C2 IP address.
  • 46[.]101[.]36[.]39 - BlackBeard C2 IP address.
  • 159[.]198[.]68[.]25 - BlackBeard C2 IP address.
  • 159[.]198[.]66[.]153 - BlackBeard C2 IP address.
• Domains:
  • bootcamptg[.]org - C2 infrastructure domain.
  • codefusiontech[.]org - C2 infrastructure domain.
  • maxisteq[.]org - C2 infrastructure domain.
  • miniquest[.]org - C2 infrastructure domain.
  • Netivtech[.]org - C2 infrastructure domain.
  • nomercys[.]it[.]com - C2 infrastructure domain.
  • promoverse[.]org - C2 infrastructure domain.
  • reminders[.]trahum[.]org - C2 infrastructure domain.
  • screenai[.]online - C2 infrastructure domain.
• File Hashes:
  • c3afd5ce1ca50a38438bb5026cca27bfbf2d8e786e03f323adceb8ad17517eca (SHA256) - Phishing document lure.
  • 52d8fb9a11920f27b9a3b43f27c275767a57cdffc95af94b7b66433506287314 (SHA256) - Phishing document lure.
  • b2c52fde1301a3624a9ceb995f2de4112d57fcbc6a4695799aec15af4fa0a122 (SHA256) - Phishing document lure (Online Seminar.FM.gov.om.doc).
  • 1c16b271c0c4e277eb3d1a7795d4746ce80152f04827a4f3c5798aaf4d51f6a1 (SHA256) - Phishing document lure.
  • 4db3645f678fb519b9f529dde41f77944754f574f16a9a845c22d3703da5bed0 (SHA256) - Phishing document lure.
  • 2c92c7bf2d6574f9240032ec6adee738edddc2ba8d3207eb102eddf4ab963db0 (SHA256) - Phishing document lure.
  • 23f3a98befdff13c802eed32eea754018b8b525ec0dd3afce8459a0287df74ec (SHA256) - Phishing document lure.
  • 69e038b9f3a228f09059bc1ce92b1c5c49396bb70987a38df0fdb39eed380b22 (SHA256) - Phishing document lure.
  • 84e665a0dfbff74b4c356bfa282c7c253ae3411a8f4d58bfe121c8411c52552c (SHA256) - Phishing document lure.
  • 6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d (SHA256) - Phishing document lure.
  • 7ea4b307e84c8b32c0220eca13155a4cf66617241f96b8af26ce2db8115e3d53 (SHA256) - Phishing document lure.
  • f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f (SHA256) - Phishing document lure (Cybersecurity.doc).
  • 0ce54a5a6f061b158e3891aadd03773d0bae220b0316e84fc042a741924b3525 (SHA256) - Phishing document lure.
  • 167d5ab70f55c100e51833fbfea44048095889c162e1330df0631423fc547409 (SHA256) - Phishing document lure.
  • 4d2958d93d4650fc4a70f70663fe6943e8c11d61b2824512da296e8fd84e5bb9 (SHA256) - Phishing document lure.
  • 156b325231742a73ded4104fbde1c55ad3913d2eaf09b5194ef74c81ee3ba393 (SHA256) - BlackBeard Variant payload.
  • cc2ec568f978f328b6de112670a1b35ca1f9db377ff32cb9d313a5b2ac3c127b (SHA256) - BlackBeard Variant payload.
  • 7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58 (SHA256) - BlackBeard Variant (Reddit.exe).
  • 0be499354dc498248d27f6d186eb3bb75a607ae4a2c0a6734c76f1a1b7b1d316 (SHA256) - BlackBeard Variant (Reddit.exe).
  • 47bb271c34210f52e3e08339a0c83688d9e9aa5c7cfc45b3e4bdffd1753f6cb2 (SHA256) - Loader/Injector payload.
  • 1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a (SHA256) - Nuso Variant payload.
  • 9c207c51c448f96eaae91241a39c8bb85e2307f2d2a99244763a53176cf4c02f (SHA256) - Nuso Variant payload.
  • c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b (SHA256) - Nuso Variant payload.
  • 668dd5b6fb06fe30a98dd59dd802258b45394ccd7cd610f0aaab43d801bf1a1e (SHA256) - Phoenix v4/Mononoke payload.
  • 5ec5a2adaa82a983fcc42ed9f720f4e894652bd7bd1f366826a16ac98bb91839 (SHA256) - Phoenix v4/Mononoke payload.
  • a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79 (SHA256) - Rust Payload (BlackBeard).
  • 1bcd8d7dc7bed5873bbdd2822e84e19773a33d659b16587ca9dc6db204447a86 (SHA256) - Rust Payload (BlackBeard).
  • fc4a7eed5cb18c52265622ac39a5cef31eec101c898b4016874458d2722ec430 (SHA256) - UDPGangster Payload.
  • 8d2227f2c53d7e22a57e12c45cecdd43dbec08dbc3ab93e74e6df52cdf80548b (SHA256) - GhostBackDoor payload.
• Registry Keys:
  • HKCU\Software\Classes\.wdlp - Custom file extension registered by BlackBeard for persistence.
• File Paths:
  • C:\Users\Public\Documents\novaservice.exe - Drop path for Phoenix/UDPGangster payload.
  • C:\Users\Public\Documents\novaservice.txt - Initial drop path for Phoenix/UDPGangster payload before renaming.
  • C:\Users\public\novaservice.log - Initial drop path for Phoenix payload before renaming.
  • Oregon.wdlp - File dropped into the startup folder by BlackBeard to trigger the infection chain on restart.
• Command Lines:
  • Purpose: Spawn a command shell for execution and output capture | Tools: cmd.exe | Stage: Execution | cmd.exe /e:ON /v:OFF /d /c
  • Purpose: Perform network reconnaissance | Tools: nslookup | Stage: Discovery | nslookup ad
  • Purpose: Gather network configuration details | Tools: ipconfig | Stage: Discovery | ipconfig /all
  • Purpose: Enumerate user directories | Tools: cmd.exe | Stage: Discovery | dir C:\users
  • Purpose: Query active user sessions | Tools: quser | Stage: Discovery | Quser
• Other:
  • 8398566164:AAEJbk6EOirZ_ybm4PJ-q8mOpr1RkZx1H7Q - Hardcoded Telegram Bot API token used by LampoRAT.