The Iranian state-sponsored threat actor known as
MuddyWater has been attributed to a new swarm of attacks
targeting Turkey and the Arabian Peninsula with the goal of
deploying remote access trojans (RATs) on compromised systems.
“The MuddyWater supergroup is highly motivated and can use
unauthorized access to conduct espionage, intellectual property
theft, and deploy ransomware and destructive malware in an
enterprise,” Cisco Talos researchers Asheer Malhotra, Vitor
Ventura, and Arnaud Zobec said[1]
in a report published today.
The group, which has been active since at least 2017, is known
for its attacks on various sectors that help further advance Iran’s
geopolitical and national security objectives. In January 2022, the
U.S. Cyber Command attributed the actor to the country’s Ministry
of Intelligence and Security (MOIS).
MuddyWater is also believed to be a “conglomerate of multiple teams[2]
operating independently rather than a single threat actor group,”
the cybersecurity firm added, making it an umbrella actor in the
vein of Winnti[3], a China-based advanced
persistent threat (APT).
The latest campaigns undertaken by the hacking crew involve the
use of malware-laced documents delivered via phishing messages to
deploy a remote access trojan called SloughRAT (aka Canopy[4]
by CISA) capable of executing arbitrary code and commands received
from its command-and-control (C2) servers.
The maldoc, an Excel file containing a malicious macro, triggers
the infection chain to drop two Windows Script Files (.WSF) on the
endpoint, the first one of them acting as the instrumentor to
invoke and execute the next-stage payload.
Also discovered are two additional script-based implants, one
written in Visual Basic and the other coded in JavaScript, both of
which are engineered to download and run malicious commands on the
compromised host.
Furthermore, the latest set of intrusions marks a continuation
of a November 2021 campaign[5]
that struck Turkish private organizations and governmental
institutions with PowerShell-based backdoors to gather information
from its victims, even as it exhibits overlaps with another
campaign that took place in March 2021.
The commonalities in tactics and techniques adopted by the
operators have raised the possibility that these attacks are
“distinct, yet related, clusters of activity,” with the campaigns
leveraging a “broader TTP-sharing paradigm, typical of coordinated
operational teams,” the researchers noted.
A second phishing attack sequence between December 2021 and
January 2022 concerned the deployment of VBS-based malicious
downloaders using scheduled tasks created by the adversary,
enabling the execution of payloads retrieved from a remote server.
The results of the command are subsequently exfiltrated back to the
C2 server.
“While they share certain techniques, these campaigns also
denote individuality in the way they were conducted, indicating the
existence of multiple sub-teams beneath the Muddywater umbrella —
all sharing a pool of tactics and tools to pick and choose from,”
the researchers concluded.
References
- ^
said
(blog.talosintelligence.com) - ^
multiple
teams (thehackernews.com) - ^
Winnti
(malpedia.caad.fkie.fraunhofer.de) - ^
Canopy
(thehackernews.com) - ^
November
2021 campaign (thehackernews.com)
Read more https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html