Earlier, in March 2019, malicious documents were created by one Windows user under the nickname Gladiyator_CRK. These documents also distributed the POWERSTATS backdoor and connected to a C & C server with a similar name. gladiyator[.]tk.
Perhaps this was done after the user of Nima Nikjoo posted on Twitter on March 14, 2019, in which he is trying to decode the obfuscated code associated with MuddyWater. In a comment to this tweet, a researcher said that he could not share indicators of the compromise of this malicious program, since this information is confidential. Unfortunately, the record has already been deleted, but its traces remain on the network:
Nima Nikjoo is the owner of the Gladiyator_CRK profile on Iranian video hosting sites dideo.ir and videoi.ir. On this site, he demonstrates PoC exploits to disable anti-virus tools of various vendors and bypass sandboxes. Nima Nikjoo writes about himself that he is a specialist in network security, as well as a reverse engineer and malware analyst who works at MTN Irancell, an Iranian telecommunications company.
Screenshot of saved videos in Google search results:
Later, on March 19, 2019, Twitter user Nima Nikjoo changed his nickname to Malware Fighter, and also deleted related posts and comments. The Gladiyator_CRK profile on dideo.ir video hosting was also deleted, as on YouTube, and the profile itself was renamed N Tabrizi. However, after almost a month (April 16, 2019), the Twitter account began to use the name Nima Nikjoo again.
During the study, Group-IB experts found that Nima Nikjoo was already mentioned in connection with cybercrime activities. In August 2014, the Iran Khabarestan blog published information about individuals associated with the cybercriminal group of the Iranian Nasr Institute. One study by FireEye said that Nasr Institute was the contractor for APT33, and also participated in DDoS attacks on US banks from 2011 to 2013 as part of a campaign called Operation Ababil.
So in the same blog, Nima Nikju-Nikjoo, who was developing malware to spy on Iranians, and his email address was mentioned: gladiyator_cracker @ yahoo[.]com.
Screenshot of data attributed to cybercriminals from the Iranian Nasr Institute:
Translation of the selected into Russian: Nima Nikio – Spyware Developer – Email Address:.
As can be seen from this information, the email address is associated with the address used in the attacks, and the users Gladiyator_CRK and Nima Nikjoo.
In addition, an article from June 15, 2017 stated that Nikjoo was somewhat careless, posting links to Kavosh Security Center in its resume. It is believed that the organization Kavosh Security Center is supported by the Iranian state to finance pro-government hackers.
Information about the company in which Nima Nikjoo worked:
In a profile on LinkedIn, a user from Twitter Nima Nikjoo’s first job was Kavosh Security Center, where he worked from 2006 to 2014. During his work, he studied various malicious programs, and also dealt with reverse and obfuscation-related work.
Nedi Nikjoo company information on LinkedIn:
MuddyWater and high self-esteem
It is curious that the MuddyWater group attentively monitors all reports and reports of information security experts published about them, and even deliberately left fake flags first to knock researchers off the track. For example, their first attacks misled the experts because the use of DNS Messenger, which was usually associated with the FIN7 group, was discovered. In other attacks, they inserted Chinese lines into the code.
In addition, the group loves to leave messages to researchers. For example, they did not like the fact that Kaspersky Lab in its rating of threats for the year placed MuddyWater in 3rd place. At the same time, someone – presumably the MuddyWater group – uploaded a PoC exploit to YouTube that disables the “LK” antivirus. They left a comment under the article.
Screenshots of a video about disabling Kaspersky Lab’s antivirus and a comment below:
It is still difficult to make an unequivocal conclusion about the involvement of Nima Nikjoo. Experts Group-IB are considering two versions. Nima Nikjoo, indeed, may be a MuddyWater hacker who has lit up due to his negligence and heightened network activity. The second option – it was specially “lit up” by other members of the group in order to avert suspicion from themselves. In any case, Group-IB continues its research and will definitely report on its results.
As for Iranian APTs, after a series of leaks and discharges, they are likely to face a serious “debriefing” – hackers will be forced to seriously change their tools, clean up their tracks and find possible “moles” in their ranks. The experts did not rule out that they would even take a time out, but after a short break the attacks of the Iranian APT continued again.
MuddyWater Leakers 