MuddyWater Deploys Chaos Ransomware Decoy Using Microsoft Teams
MuddyWater, the Iranian advanced persistent threat (APT) group also tracked as Static Kitten, has been observed disguising its espionage operations behind a nonâfunctional Chaos ransomware payload. The group leverages Microsoft Teams as a socialâengineering vector, sending messages that appear to come from a trusted internal tenant and prompting recipients to download a fraudulent software update. The message contains a link to a hosted ISO file, typically named âTeamsUpdate.isoâ, which mounts as a removable drive and drops a malicious loader.
The loader is a compact executable written in GoâŻ1.19 that first decrypts a baseâ64âencoded Cobalt Strike beacon, then drops the âChaosâ ransomware binary. Chaos, compiled with the same toolchain, appends the â.chaosâ extension to encrypted files and displays a ransom note demanding 0.5âŻBTC, but the encryption routine is intentionally incomplete, serving only as a decoy to mislead forensic analysis. Both the beacon and ransomware communicate with commandâandâcontrol (C2) infrastructure hosted on bulletâproof hosting providers, with the beacon using HTTP/S for tasking and the ransomware beacon occasionally repurposing the same C2 channel for exfiltration.
To maintain persistence, the loader creates a scheduled task that runs daily, adds a registry Run key, and uses WMI subscriptions for lateral movement across the targetâs network. It also abuses legitimate Windows binaries (certutil, mshta) to decode payloads in memory, a classic livingâoffâtheâland technique that helps evade signatureâbased detection. A custom FTP utility, spawned by the beacon, uploads harvested documents to an attackerâcontrolled server, completing the dataâexfiltration phase of the operation.
Microsoft Defender for Endpoint flagged the activity as âTrojan:Win32/MuddyWaterâ and released detailed indicators of compromise (IOCs), including SHAâ256 hashes of the ISO (e.g.,âŻa3f9âŚâŻc4e2) and the malicious domains (teamsâupdateâ[hash].com). Security teams are advised to block external tenant messages in Teams, enforce safeâattachment scanning, disable macro execution from downloaded Office documents, and apply leastâprivilege policies to prevent the abuse of certutil and mshta. Multiâfactor authentication on privileged accounts and regular audits for .chaos file extensions will further mitigate the risk of this hybrid attack. (Source: BleepingComputer)