Mori

Mori is a type of malware employed by the cyber threat group known as MuddyWater. The FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors using various malware, including Mori, as part of their malicious activities. These include but are not limited to variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), and POWERSTATS. Mori stands out among these due to its sophisticated backdoor capabilities. The Mori backdoor uses Domain Name System tunneling to communicate with MuddyWater's command-and-control (C2) infrastructure, as documented in MITRE ATT&CK's technique T1572. This allows it to maintain persistence within compromised networks and execute its harmful operations undetected. In addition to loading other malware, MuddyWater uses Mori for backdoor access, maintaining persistence (TA0003), and data exfiltration (TA0010). Detection of a Mori backdoor on a network is a clear indication of compromise, often signifying that the network has been targeted for espionage. The use of Mori and other similar malware types underscores the significant cybersecurity threats posed by sophisticated actor groups like MuddyWater. It is essential for organizations to maintain robust cybersecurity measures to detect and mitigate such threats promptly.