MURKYTOP Threat Report: What the MURKYTOP and How Does it Work?

The tool, MURKYTOP, is used by Leviathan to gather reconnaissance data on targets. It has the capability to delete local files, identify remote hosts, retrieve information about users, scan for open ports, and schedule remote AT jobs. MURKYTOP uses the command line interface and has the capability to retrieve information about groups.

MURKYTOP Malware Capabilities:

MURKYTOP may scan networks for vulnerable systems and attempt to get a listing of services running on those systems. They may also use the Windows command shell for execution and attempt to find group and permission settings. This information can help them determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

• MURKYTOP may delete files or tools used in their intrusion activity in order to minimize their footprint. They may also attempt to get a listing of other systems on the network or local system accounts to help them determine which accounts to target for lateral movement.
• The Murkytop malware may abuse the 'at' utility to schedule the execution of malicious code, and may also look for shared folders and drives on remote systems in order to gather information and identify potential systems of interest for lateral movement. The adversary may also attempt to get detailed information about the operating system and hardware in order to shape follow-on behaviors.
• MURKYTOP may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. They may also abuse the Windows command shell for execution, and attempt to find group and permission settings. This information could help them determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Ways to Mitigate MURKYTOP Malware Attacks Capabilities

• The MURKYTOP malware can be mitigated by monitoring for command-line deletion functions, known deletion and secure deletion tools, and system and network discovery techniques.
• The MURKYTOP malware attack can be mitigated by monitoring process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Additionally, monitoring Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. can help to identify and stop this type of attack.
• The Murkytop malware attack can be mitigated in several ways, including system and network discovery techniques, restricting scripting for normal users, and capturing scripts from the file system. Any attempt to enable scripts or run them out of cycle from administrator functions is suspicious and should be investigated.