skip to Main Content

Cyber espionage, what APT34 and MuddyWater have in common?

What APT34 and MuddyWater have in common and what diverge? Cyber security expert Marco Ramilli, founder of Yoroi-Cybaze, analyzed the leaked source code of the two groups to understand

What APT34 and MuddyWater have in common? cyber security expert Marco Ramilli, founder of Yoroi-Cybaze, analyzed the leaked source code of two different state sponsored cyber-espionage groups, looking for similarities and for differences in coding style rather than on functionalities. “I am not getting into the topic ‘they are the same group’ or ‘they actually live in the same building’ or again ‘they did not belong to the same matrix’ or whatever topic related to such – Ramilli explained on his blog -, but I think there are some similarities (mostly weak) and quite evident differences (again weak differences) in the way they code in Python. I am aware that the following practices are not overwhelming evidences, but you might agree with me that developers spend years in defining the best and the most beautiful way to implement their code. It would be difficult to code with ‘someone else style’ by changing their coding habitat.”

The cyber security expert: The APT34 print behavior is different from the MuddyWater one

According to the cyber security expert, the sources show differences in the printing function. MuddyWater implements a more “fancy” printing function by adding the symbol “[+]” when things go in the right direction and by adding the symbol “[-]” when flows hit errors or some unwanted conditions. Moreover it uses color in outputs by implementing a core function called These amenities are not available in the APT34 sources. Both of the groups uses single quote for printing string and use the + operator as concatenation string in print functions rather than %s operator. MuddyWater in complex substitution strings uses \n at the beginning of the string and at the very end, while in the APT34 sources is not a common practice. APT34 looks like using the print as a debugger, there are many commented print statements. I would say that the print behavior differ from one to another.

Yoroi founder: Both of the state-sponsored groups use the multi-line string for delivery the relative payloads. But with a writing style quite different

Yoroi founder believes that “both of the analysed groups use the multi-line string for delivery the relative payloads. However the writing style is quite different. APT34 uses the ‘real’ multi-line, while MuddyWater abuses the multi-line exploiting its auto-escape indirect proprieties. MuddyWater delivers its payload in a inline multi-string, avoiding to escape special characters, while APT34 prefers to use the same technique but expanding the payload in order to promote the readability. However both groups frequently use the operator =+ for concatenation and both of them use the ‘ ‘.join( to build up objects from empty strings. Interesting to spot a different style inside the MuddyWater package. Indeed in core/ the developer uses ‘ ‘.join(, while in core/ the used both: ‘ ‘.join( and ” “.join( (NB the double quote). Maybe was more than one developer involved?”

APT34 and MuddyWater use a quite clear and identical function nomenclature

“Both groups use a quite clear and identical function nomenclature,” Ramilli underlines. “While the developer might decide to use many different nomenclatures such as: “CamelMultipleNames”, “Firstcapital”, “lowercase”, “with_underscore”, and so on and so forth, both APT34 and MuddyWater have chosen to go with the “lowercase_with_underscore” mode. Moreover the analysed source codes do not implement PEP8/4 at all, so I don’t think developers followed the suggested style guidelines. Again both of groups use a lot the operator for i in range rather than using lists or while loop. Both adopted a nice code protection, in order to avoid unexpected exceptions or un-managed user input which might rise wired behaviours.” 

Finally, the two cyber espionage groups obfuscate their powershell payloads in a similar way

The cyber security expert adds that “MuddyWater is well-known for the way it obfuscates powershell payloads. The group likes to replace function values in order to substitute ‘obfuscated characters’ (while APT34 used different techniques (such as: Integer encoding, hexadecimal encoding and so forth) however, it’s not hard to find a wide usage of such technique even in the APT34 leaked source code. Actually not in the analyzed python code but rather in the javascript and powershell payload as well belonging to the same package. There we find wide usage of replace functions.”

Back To Top