Threats Feed|ENT-11|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date11/05/2022

ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian APT group ENT-11, also known as MuddyWater, has been using a variant of the PowGoop malware, dubbed "E400", targeting foreign governments, telecommunications, energy sectors, intergovernmental economic cooperation organizations, and the banking sector, primarily in the Middle East. Insights from NTT Security revealed dozens of PowGoop command and control servers dating back to October 2020. The group appears to be winding down operations with the E400-PowGoop variant, but it is expected to continue modifying its tools and creating new variants.

Reference and Credit: NTT Security - May 2022

Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020

Detected Targets

TypeDescriptionConfidence
SectorBanking
High
SectorFinancial
High
SectorGovernment Agencies and Services
High
RegionTurkey
Medium
RegionMiddle East Countries
High

Extracted IOCs

  • a0421312705e847a1c8073001fd8499c
  • 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7
  • 104[.]168.98.148
  • 107[.]172.165.17
  • 107[.]172.165.182
  • 107[.]175.57.83
  • 107[.]175.95.101
  • 107[.]175.95.102
  • 164[.]132.237.65
  • 164[.]132.237.66
  • 164[.]132.237.79
  • 172[.]245.157.101
  • 172[.]245.81.135
  • 178[.]32.30.1
  • 185[.]141.27.143
  • 185[.]141.27.248
  • 185[.]183.96.44
  • 185[.]183.96.7
  • 185[.]45.192.228
  • 192[.]210.191.188
  • 192[.]210.226.128
  • 192[.]3.161.182
  • 192[.]3.161.218
  • 198[.]144.190.132
  • 23[.]94.24.76
  • 23[.]94.24.77
  • 23[.]94.24.78
  • 23[.]94.7.134
  • 23[.]94.7.9
  • 23[.]95.8.149
  • 37[.]187.204.27
  • 51[.]255.19.178
  • 51[.]255.19.179
  • 80[.]85.158.49
  • 96[.]8.121.101
  • 96[.]8.121.193
download

Tip: 36 related IOCs (34 IP, 0 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater's Shift to MuddyC2Go Framework Targets Jordan, Iraq, and Israel

Source: Deep Instinct - November 2023

Detection (one case): 164[.]132.237.65

MuddyWaterMuddyWater Upgrades: The Emergence of PhonyC2 Framework

Source: Deep Instinct - June 2023

Detection (two cases): 164[.]132.237.79, 51[.]255.19.178

MuddyWaterMuddyWater APT Uses Legitimate Remote Management Tool for Persistence

Source: Group-IB - April 2023

Detection (five cases): 164[.]132.237.65, 164[.]132.237.66, 178[.]32.30.1, 51[.]255.19.178, 51[.]255.19.179

MuddyWaterAnalysis of MuddyWater Malware Targeting Diverse International Sectors

Source: CISA - February 2022

Detection (four cases): 185[.]183.96.44, 185[.]183.96.7, 192[.]210.191.188, 9cb79736302999a7ec4151a43e93cd51c97ede879194cece5e46b4ff471a7af7

MuddyWaterMuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

Source: CISA - February 2022

Detection (nine cases): 164[.]132.237.65, 185[.]141.27.143, 185[.]141.27.248, 185[.]183.96.44, 185[.]183.96.7, 185[.]45.192.228, 192[.]210.191.188, 192[.]210.226.128, 80[.]85.158.49

MuddyWaterEvolving Threat: MuddyWater APT's Multi-National Cyber Espionage Activities

Source: Cisco Talos - January 2022

Detection (one case): 172[.]245.81.135

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
ENT-11
View ENT-11's Insights