SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019. SHARPSTATS affects the following operating systems: Windows.
SHARPSTATS can identify the domain of the compromised host, the current date and time, the IP address, machine name, and OS of the compromised host, and the username on the compromised host. SHARPSTATS can also employ a custom PowerShell script, upload and download files, and use base64 encoding and XOR to obfuscate PowerShell scripts. These capabilities allow SHARPSTATS to gather information about the compromised host and avoid detection.
Table of Contents
SHARPSTATS Malware Capabilities
SHARPSTATS may carry out a number of activities in order to gain information about a system or network, including system enumeration and credential dumping. They may use this information to determine whether or not to fully infect a target system. Additionally, SHARPSTATS may transfer tools or other files to a compromised system in order to evade detection.
- The Sharpstats malware may collect network configuration and settings information from remote systems, as well as system time and operating system/hardware details. This information may be used to determine follow-on behaviors, such as whether or not to fully infect a target system.
- SHARPSTATS may collect information about users on a system in order to determine which users are most active and which users may be the primary users. This information may be used to determine which users to target for further actions, such as fully infecting the system or attempting specific actions. SHARPSTATS may use PowerShell to perform a number of actions, including discovery of information and execution of code. SHARPSTATS may also transfer tools or other files from an external system into a compromised environment.
Ways to Mitigate SHARPSTATS Malware Attacks
- The SHARPSTATS malware mitigation technique involves monitoring for net.exe or other command-line utilities being used to gather system time or time zone information. This information can then be used to detect and thwart lateral movement activities by an adversary.
- The above text describes various ways that Sharpstats malware can be mitigated. These include system and network discovery techniques, setting proper execution policy, and monitoring for file creation and files transferred into the network.
About Muddywater Threat Group
- Muddywater is an Iranian threat group that targets telecommunications, government, and oil sectors primarily in Middle Eastern nations, but also in Europe and North America.