Followed by OilRig/APT32/MOIS leak I've reported about here. A new telegram channel emerged called "افشاگران سبز | Green Leakers".

The actor (which I assume is the same one behind the OilRig leak) claims to own information regarding another Iranian Cyber Attack group dubbed MuddyWater which they claim are also part of MOIS.

Today 27/4/2019 the actor have released photos allegedly from MuddyWater compromised command and control servers.

Will keep update this post as the investigation develops.

Looking at the accounts of the leakers I can notice some important information.

The logo and name behind the recent Muddywater leaks suggest that the people behind it are related to Iran opposition forces part of the Green Movement. It also gives a better understanding why the previous name was sealed lips. Of course it can easily be a false flag as well.

List of possible victims (from the leaked photos)

Intrusion notification for some of the allegedly breached organization have been submitted.

| KORGLU | 213.154.0.73 | Azerbaijan |

| KORGLU | 213.154.0.69 | Azerbaijan |

| KORGLU | 213.154.0.90 | Azerbaijan |

| KORGLU | 213.154.0.100 | Azerbaijan |

| MECUIT-EDU | 82.178.21.160 | Oman |

| MECUIT-EDU | 82.178.21.158 | Oman |

| MECUIT-EDU | 82.178.21.222 | Oman |

| Quantum | 91.208.48.58 | Lebanon |

| Quantum| 91.208.48.55 | Lebanon |

| Quantum | 91.208.48.191 | Lebanon |

| Quantum | 91.208.48.29 | Lebanon |

| ECONOMY | 212.28.244.80 | Lebanon |

| ECONOMY | 212.28.244.132 | Lebanon |

| ECONOMY | 212.28.244.225 | Lebanon |

| ECONOMY | 212.28.244.76 | Lebanon |

| INDS | 93.185.92.69 | Lebanon |

| INDS | 93.185.92.69 | Lebanon |

| EAMANA | 78.93.58.210 | Saudi Arabia |

| EAMANA | 78.93.58.200 | Saudi Arabia |

| EAMANA | 78.93.58.160 | Saudi Arabia |

| MCI | 212.119.82.102 | Saudi Arabia |

| MCI | 212.119.82.22 | Saudi Arabia |

| MCI | 212.119.82.22 | Saudi Arabia |

| MOH | 78.93.237.99 | Saudi Arabia |

| MOH | 78.93.237.222 | Saudi Arabia |

| MOH | 78.93.237.222 | Saudi Arabia |

| NVSVUC | 185.19.135.99 | Denmark |

| NVSVUC | 185.19.135.77 | Denmark |

| HARLI | 194.90.202.70 | Israel |

| HARLI | 194.90.203.41 | Israel |

| CJECSP | 217.17.128.10 | Netherlands |

| OHECSP | 193.194.139.21 | Switzerland |

| OHECSP | 193.194.139.59 | Switzerland |

| state.gov | 67.160.47.246 | United state |

Thanks to @InfoSecAndBeyond for the tip.

In a new telegram channel (which might be fake) the alleged "lips" leaker group have put up MuddyWater C2 access up for sale by sharing two onion links and a few screenshots. Noticeable is that the new telegram channel has no Parsi language at all unlike the ones before.

Links:

hxxp://yrfpbzadk6gsb5hudpffn4l44j4jxygiojr2a5cs5jfuzaknggja5zid[.]onion/

hxxp://4vq5rislrtskdth2nlxp3agidmqn474p3thztsvgimr2tbbeqr33p2yd[.]onion/

A new leak of source code code related to MuddyWater was released and exposore of details of another operator "Nima Nikjoo".

The leakers are basing their findings on TrendMicro research: https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf



The source code is provided as usual:

https://s3-eu-west-1.amazonaws.com/malware-research.org/blogposts/apt34Leak/muddyc3_2.zip

Pass: VpOUr6H48tG7rhMdJxg!Ad0FUF