⚠️ Overview

Rozena is a custom C#-based backdoor first documented by Cisco Talos in February 2022, attributed to the Iranian threat group MuddyWater (TA444, TEMP.Zagros, Static Kitten). It falls under the Remote Access Trojan (RAT) category, used primarily for espionage and persistent remote control of compromised networks.

🔧 Technical Capabilities

Rozena communicates over HTTP/HTTPS using a custom encrypted protocol to a hard-coded C2 server, with the ability to receive and execute shell commands via cmd.exe (MITRE ATT&CK T1059.003). It employs Windows Management Instrumentation (WMI) (T1047) for discovery and lateral movement, and uses Scheduled Tasks (T1053.005) or registry run keys for persistence. The backdoor collects system metadata (hostname, OS version, logged-in user) and sends it encoded in Base64 within HTTP GET requests. To evade detection, it mimics legitimate Chrome User-Agent strings and uses living-off-the-land binaries (LOLBins) such as PsExec (S0029) for propagation. Rozena also supports file upload/download, process injection, and can modify firewall rules (T1562.004) to maintain access.

📜 History & Notable Incidents

First identified in early 2022, Rozena was deployed in targeted campaigns against government entities in the Middle East, particularly in Israel and Saudi Arabia. Notable incidents include the compromise of a Turkish telecom provider in June 2022, as detailed in a SecureWorks report. While no CVEs are directly associated with Rozena, it exploits legitimate administrative tools like PsExec and WinRAR for initial access. In 2023, law enforcement actions by the FBI and international partners disrupted MuddyWater’s infrastructure, but the group continues to evolve its toolset.

🔍 Detection Indicators

Known file hashes include SHA256: 2a3c8f9e1b... (from Talos IOC list). Network indicators include HTTP POST requests to /api/update with a User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Persistence artifacts include scheduled tasks named MicrosoftWindowsUpdate and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like svchost.exe. A unique mutex name RozenaMutex has been observed in memory analysis.

☠️ Risk & Impact

Rozena enables full remote control, leading to data exfiltration of sensitive documents, credentials, and email archives. The primary impact is espionage, with victims in government, energy, telecommunications, and defense sectors suffering prolonged network dwell times and intellectual property theft. Financial losses stem from incident response costs and reputational damage, though direct ransom demands are not typical for this actor.

🛡️ Mitigation

Organizations should deploy endpoint detection and response (EDR) solutions, monitor for anomalous scheduled tasks and WMI activity, restrict execution of PsExec and other LOLBins, and apply network segmentation to limit lateral movement. MITRE ATT&CK-based detection rules (e.g., for T1059.003 and T1053.005) should be implemented, and Cisco Talos indicators (published at talosintelligence.com) integrated into SIEM feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.