MuddyWater Deploys Chaos Ransomware Decoy Using Microsoft Teams

MuddyWater, the Iranian advanced persistent threat (APT) group also tracked as Static Kitten, has been observed disguising its espionage operations behind a non‑functional Chaos ransomware payload. The group leverages Microsoft Teams as a social‑engineering vector, sending messages that appear to come from a trusted internal tenant and prompting recipients to download a fraudulent software update. The message contains a link to a hosted ISO file, typically named “TeamsUpdate.iso”, which mounts as a removable drive and drops a malicious loader.

The loader is a compact executable written in Go 1.19 that first decrypts a base‑64‑encoded Cobalt Strike beacon, then drops the “Chaos” ransomware binary. Chaos, compiled with the same toolchain, appends the “.chaos” extension to encrypted files and displays a ransom note demanding 0.5 BTC, but the encryption routine is intentionally incomplete, serving only as a decoy to mislead forensic analysis. Both the beacon and ransomware communicate with command‑and‑control (C2) infrastructure hosted on bullet‑proof hosting providers, with the beacon using HTTP/S for tasking and the ransomware beacon occasionally repurposing the same C2 channel for exfiltration.

To maintain persistence, the loader creates a scheduled task that runs daily, adds a registry Run key, and uses WMI subscriptions for lateral movement across the target’s network. It also abuses legitimate Windows binaries (certutil, mshta) to decode payloads in memory, a classic living‑off‑the‑land technique that helps evade signature‑based detection. A custom FTP utility, spawned by the beacon, uploads harvested documents to an attacker‑controlled server, completing the data‑exfiltration phase of the operation.

Microsoft Defender for Endpoint flagged the activity as “Trojan:Win32/MuddyWater” and released detailed indicators of compromise (IOCs), including SHA‑256 hashes of the ISO (e.g., a3f9… c4e2) and the malicious domains (teams‑update‑[hash].com). Security teams are advised to block external tenant messages in Teams, enforce safe‑attachment scanning, disable macro execution from downloaded Office documents, and apply least‑privilege policies to prevent the abuse of certutil and mshta. Multi‑factor authentication on privileged accounts and regular audits for .chaos file extensions will further mitigate the risk of this hybrid attack. (Source: BleepingComputer)