Small Sieve

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Small Sieve is a type of malware used by the MuddyWater actors, as observed by the FBI, CISA, CNMF, and NCSC-UK. This malicious software is distributed through a large (16MB) NSIS installer named gram_app.exe, which does not masquerade as a legitimate application. The Small Sieve payload will only execute correctly if the word "Platypus" is passed to it on the command line. It uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. The malware has been seen communicating with multiple IP addresses, including but not limited to 5.199.133[.]149, 45.142.213[.]17, 88.119.170[.]124, and 185.183.96[.]44. The malware operates using the Telegram API over HTTPS for beaconing and tasking, sending the configured Bot ID, the currently logged-in user, and the host's IP address. Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. This method of communication is encrypted and obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function, making it difficult to detect and analyze. MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. This sophisticated approach allows the malware to remain undetected while carrying out its operations. For further analysis of Small Sieve malware, refer to Appendix B. The findings show that Small Sieve, along with other malware variants like PowGoop, Canopy (also known as Starwhale), Mori, and POWERSTATS, are part of the arsenal employed by MuddyWater actors in their malicious activity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Apt
Bot
Payload
t1059.006
Malware
t1036.005
t1071.001
t1132.002
T1027
Beacon
Outlook
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
POWERSTATSUnspecified
1
PowerStats is a malicious software (malware) created by the MuddyWater cyberespionage group, which is linked to Iran. This malware, written in PowerShell, was designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspicious downloads, emails, o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MuddyWaterUnspecified
1
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Small Sieve Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA