1. Home
  2. Software
  3. Small Sieve

Small Sieve

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]

ID: S1035
Associated Software: GRAMDOOR
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 16 August 2022
Last Modified: 14 October 2022

Associated Software Descriptions

Name Description
GRAMDOOR

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.[2]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Small Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift for persistence.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Small Sieve can use cmd.exe to execute commands on a victim's system.[2]
.006 命令与脚本解释器: Python

Small Sieve can use Python scripts to execute commands.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.[1]
Enterprise T1480 执行保护

Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.[2]
Enterprise T1132 .002 数据编码: Non-Standard Encoding

Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.[1][2]
Enterprise T1027 混淆文件或信息

Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[2]
Enterprise T1033 系统所有者/用户发现

Small Sieve can obtain the id of a logged in user.[2]
Enterprise T1016 系统网络配置发现

Small Sieve can obtain the IP address of a victim host.[2]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.[2]
Enterprise T1105 输入工具传输

Small Sieve has the ability to download files.[2]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1][2]

References

  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  2. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  1. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.