Small Sieve

Small Sieve is a type of malware used by the MuddyWater actors, as observed by the FBI, CISA, CNMF, and NCSC-UK. This malicious software is distributed through a large (16MB) NSIS installer named gram_app.exe, which does not masquerade as a legitimate application. The Small Sieve payload will only execute correctly if the word "Platypus" is passed to it on the command line. It uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. The malware has been seen communicating with multiple IP addresses, including but not limited to 5.199.133[.]149, 45.142.213[.]17, 88.119.170[.]124, and 185.183.96[.]44. The malware operates using the Telegram API over HTTPS for beaconing and tasking, sending the configured Bot ID, the currently logged-in user, and the host's IP address. Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. This method of communication is encrypted and obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function, making it difficult to detect and analyze. MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. This sophisticated approach allows the malware to remain undetected while carrying out its operations. For further analysis of Small Sieve malware, refer to Appendix B. The findings show that Small Sieve, along with other malware variants like PowGoop, Canopy (also known as Starwhale), Mori, and POWERSTATS, are part of the arsenal employed by MuddyWater actors in their malicious activity.