Analytics Story: Water Gamayun

Date: 2025-04-17 ID: f3a9e8b6-7d21-42c5-9f6b-e4f8d1c936ea Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections for techniques used by the Water Gamayun threat actor, which targets telecommunications and financial sectors. The group employs various techniques including MSC EvilTwin exploitation, custom backdoors, information stealers, and sophisticated reconnaissance methods.

Why it matters

Water Gamayun is a threat actor that has been active since at least late 2023. They target organizations primarily in the telecommunications and financial sectors through a combination of sophisticated techniques and custom malware. Their initial access vectors include signed MSI files, Living Off The Land Binaries and Scripts (LOLBAS), and exploitation of MSC vulnerability (dubbed "EvilTwin") which manipulates directory paths with spaces to bypass security controls.

The actor's toolkit includes several custom components:

  • SilentPrism: A backdoor for command and control
  • DarkWisp: A backdoor with TCP communication capabilities
  • EncryptHub: An information stealer targeting credentials and system information

The group is notable for their use of Telegram as a command and control channel, the exploitation of the MSC EvilTwin technique (CVE-2025-26633), and detailed reconnaissance of victim systems including geolocation data collection.

Defensive recommendations include implementing application control policies, monitoring for unusual PowerShell activities and MSC file executions with abnormal command-line parameters, and securing administrative tools that could be abused by attackers.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Download Files Using Telegram Ingress Tool Transfer TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
GetWmiObject User Account with PowerShell Local Account Hunting
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Mmc LOLBAS Execution Process Spawn Distributed Component Object Model, MMC TTP
Potential Telegram API Request Via CommandLine Bidirectional Communication, Exfiltration Over C2 Channel Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Powershell Creating Thread Mutex Indicator Removal from Tools, PowerShell TTP
Suspicious Copy on System32 Rename Legitimate Utilities TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Windows Known GraphicalProton Loaded Modules DLL Anomaly
Windows LOLBAS Executed As Renamed File Rename Legitimate Utilities, Rundll32 TTP
Windows Masquerading Explorer As Child Process DLL TTP
Windows MSC EvilTwin Directory Path Manipulation System Binary Proxy Execution, Match Legitimate Resource Name or Location, Exploitation for Client Execution TTP
Windows MSIExec DLLRegisterServer Msiexec TTP
Windows MsiExec HideWindow Rundll32 Execution Msiexec TTP
Windows MSIExec Remote Download Msiexec TTP
Windows MSIExec Spawn Discovery Command Msiexec TTP
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Invoke-RestMethod IP Information Collection System Information Discovery, System Network Configuration Discovery, PowerShell Anomaly
Windows Process Injection Remote Thread Portable Executable Injection TTP
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP
Windows Screen Capture Via Powershell Screen Capture TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4798 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1