This blog post is going to be about the adventure I had doing some OSINT on MuddyWater APT. It starts off when on Telegram a bunch of new leaks were coming out involving APT34 tools be leaked online, Data, and member data also. I started to do some research around to who maybe might be involved, when I came across MuddyWater Macro Document. While doing some analysis on the document I came across something interesting..

We see here that the Author of this document is a Windows User “Gladiator_CRK” “Nima” So I went ahead and started googling around “Gladiator_CRK” and came up with some interesting things. This Youtube video here from 2018 https://www.youtube.com/watch?v=wkWiFzipbpw 

This shows a PoC bypassing Kaspersky Anti-Virus with ascii of MUDDYWATER. Which is pretty interesting since the Youtube account is also named muddy water and when we scroll down we see a comment with someone named “Nima Nikjoo”.

Now this get’s interesting so I go ahead and take that name and throw it in Google which gives us some nice output. 

I go ahead and view the first link which is a Twitter account made by Nima, Which ended up when I logged in was following me on Twitter lol…

We engaged in a talk about some things and Nima then gave me his Telegram to talk further. I found something interesting after our talk was done and once I added him he had a Russian/Serbian username which I thought was weird and decided to translate it.

Well.. Now I’m really starting to thing we have a good guess that Gladiator_CRK is Nima Nikjoo. So let’s take a look at some more information I was able to gather, We have some python code that generates a macro embedded in PowerShell from MuddyWater.

There are two hashes labled as “HashKey_1″and “HashKey_2” If we decrypt these hashes this is what we get. dd239423ce826bfb1a26478ad205cfe9  gladiator_crd e495a76dc36655e87d0e855af3966f40  nima.n

Interesting the output for both of those hashes are the same names we have come across so far. Let’s take a look at another example.
Here we have the PoC code(Not Public) I was able to obtain through other means and this shows “#GMER EDITION from N.N.T” which I thought was interesting for initials, So I wanted to find out what this means.

I found out that Nima has his own website @ https://www.vsec.ir and of course we go and do some information gathering on this and we come up with domain:  vsec.ir ascii:  vsec.ir remarks:  (Domain Holder) Nima NikjooyeTabrizi remarks:  (Domain Holder Address) No.988, Shahid Khorasani Sq East Azerbaijan, IR
Nima Nikjoo Tabrizi => N.N.T
While looking though more information online I came across a blog post about Iranians Behind StoneDrill and NewsBeef Malware @ https://irancybernews.org/news/318/ if we scroll down through the article we find something else, We see that Nima looks like he has some history as well before MuddyWater.  

I also found out today another blog that looks like it’s been Google cached but shows a good insight into some more information with Nima included. 
“Muddy waters: how MuddyWater hackers attacked a Turkish military electronics manufacturer” https://webcache.googleusercontent.com/search?q=cache:8hHKsokcpJkJ:https://prog.world/muddy-waters-how-muddywater-hackers-attacked-a-turkish-military-electronics-manufacturer/+&cd=15&hl=en&ct=clnk&gl=uk&client=firefox-b-d

So this is a quick insight of what I’ve been up too mix with work related things. If anyone else has anything else interesting about MuddyWater or Actors behind it let me know! I will be updating this blog post with more information later once I get more organized with the rest. Just a quick write up.

Earlier, in March 2019, malicious documents were created by one Windows user under the nickname Gladiyator_CRK. These documents also distributed the POWERSTATS backdoor and connected to a C & C server with a similar name. gladiyator[.]tk.

Perhaps this was done after the user of Nima Nikjoo posted on Twitter on March 14, 2019, in which he is trying to decode the obfuscated code associated with MuddyWater. In a comment to this tweet, a researcher said that he could not share indicators of the compromise of this malicious program, since this information is confidential. Unfortunately, the record has already been deleted, but its traces remain on the network:

Nima Nikjoo is the owner of the Gladiyator_CRK profile on Iranian video hosting sites dideo.ir and videoi.ir. On this site, he demonstrates PoC exploits to disable anti-virus tools of various vendors and bypass sandboxes. Nima Nikjoo writes about himself that he is a specialist in network security, as well as a reverse engineer and malware analyst who works at MTN Irancell, an Iranian telecommunications company.

Screenshot of saved videos in Google search results:

Later, on March 19, 2019, Twitter user Nima Nikjoo changed his nickname to Malware Fighter, and also deleted related posts and comments. The Gladiyator_CRK profile on dideo.ir video hosting was also deleted, as on YouTube, and the profile itself was renamed N Tabrizi. However, after almost a month (April 16, 2019), the Twitter account began to use the name Nima Nikjoo again.

During the study, Group-IB experts found that Nima Nikjoo was already mentioned in connection with cybercrime activities. In August 2014, the Iran Khabarestan blog published information about individuals associated with the cybercriminal group of the Iranian Nasr Institute. One study by FireEye said that Nasr Institute was the contractor for APT33, and also participated in DDoS attacks on US banks from 2011 to 2013 as part of a campaign called Operation Ababil.

So in the same blog, Nima Nikju-Nikjoo, who was developing malware to spy on Iranians, and his email address was mentioned: gladiyator_cracker @ yahoo[.]com.

Screenshot of data attributed to cybercriminals from the Iranian Nasr Institute:

Translation of the selected into Russian: Nima Nikio – Spyware Developer – Email Address:.

As can be seen from this information, the email address is associated with the address used in the attacks, and the users Gladiyator_CRK and Nima Nikjoo.

In addition, an article from June 15, 2017 stated that Nikjoo was somewhat careless, posting links to Kavosh Security Center in its resume. It is believed that the organization Kavosh Security Center is supported by the Iranian state to finance pro-government hackers.

Information about the company in which Nima Nikjoo worked:

In a profile on LinkedIn, a user from Twitter Nima Nikjoo’s first job was Kavosh Security Center, where he worked from 2006 to 2014. During his work, he studied various malicious programs, and also dealt with reverse and obfuscation-related work.

Nedi Nikjoo company information on LinkedIn:

MuddyWater and high self-esteem

It is curious that the MuddyWater group attentively monitors all reports and reports of information security experts published about them, and even deliberately left fake flags first to knock researchers off the track. For example, their first attacks misled the experts because the use of DNS Messenger, which was usually associated with the FIN7 group, was discovered. In other attacks, they inserted Chinese lines into the code.

In addition, the group loves to leave messages to researchers. For example, they did not like the fact that Kaspersky Lab in its rating of threats for the year placed MuddyWater in 3rd place. At the same time, someone – presumably the MuddyWater group – uploaded a PoC exploit to YouTube that disables the “LK” antivirus. They left a comment under the article.

Screenshots of a video about disabling Kaspersky Lab’s antivirus and a comment below:

It is still difficult to make an unequivocal conclusion about the involvement of Nima Nikjoo. Experts Group-IB are considering two versions. Nima Nikjoo, indeed, may be a MuddyWater hacker who has lit up due to his negligence and heightened network activity. The second option – it was specially “lit up” by other members of the group in order to avert suspicion from themselves. In any case, Group-IB continues its research and will definitely report on its results.

As for Iranian APTs, after a series of leaks and discharges, they are likely to face a serious “debriefing” – hackers will be forced to seriously change their tools, clean up their tracks and find possible “moles” in their ranks. The experts did not rule out that they would even take a time out, but after a short break the attacks of the Iranian APT continued again.