MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

Dec 09, 2022Ravie LakshmananThreat Intelligence / Cyber Attack

The Iran-linked MuddyWater threat actor has
been observed targeting several countries in the Middle East as
well as Central and West Asia as part of a new spear-phishing
activity.

“The campaign has been observed targeting Armenia, Azerbaijan,
Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the
United Arab Emirates,” Deep Instinct researcher Simon Kenin
said ^[1]
in a technical write-up.

MuddyWater ^[2], also called Boggy
Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static
Kitten, and TEMP.Zagros, is said to be a subordinate element ^[3]
within Iran’s Ministry of Intelligence and Security (MOIS).

Active since at least 2017, attacks mounted by the espionage
group have typically targeted telecommunications, government,
defense, and oil sectors.

The current intrusion set follows MuddyWater’s long-running
modus operandi of using phishing lures that contain direct Dropbox
links or document attachments with an embedded URL pointing to a
ZIP archive file.

It’s worth mentioning here that the messages are sent from
already compromised corporate email accounts, which are being
offered for sale ^[4]
on the darknet by webmail shops like Xleet, Odin, Xmina, and Lufix
anywhere between $8 to $25 per account.

While the archive files have previously harbored installers for
legitimate tools like ScreenConnect ^[5]
and RemoteUtilities ^[6], the actor was observed
switching to Atera Agent in July 2022 in a bid to fly under the
radar.

But in a further sign that the campaign is being actively
maintained and updated, the attack tactics have been tweaked yet
again to deliver a different remote administration tool named
Syncro.

The integrated MSP software ^[7]
offers a way to completely control a machine, allowing the
adversary to conduct reconnaissance, deploy additional backdoors,
and even sell access to other actors.

“A threat actor that has access to a corporate machine via such
capabilities has nearly limitless options,” Kenin noted.

The findings come as Deep Instinct also uncovered new malware components ^[8]
employed by a Lebanon-based group tracked as Polonium in its
attacks ^[9]
aimed exclusively at Israeli entities.

“Polonium is coordinating its operations with multiple tracked
actor groups affiliated with Iran’s Ministry of Intelligence and
Security (MOIS), based on victim overlap and the following common
techniques and tooling,” Microsoft noted ^[10] in June 2022.

Found this article interesting? Follow us on Twitter ^[11] and LinkedIn ^[12] to read more exclusive
content we post.

References

^{^}
said
(www.deepinstinct.com)
^{^}
MuddyWater
(thehackernews.com)
^{^}
subordinate element
(thehackernews.com)
^{^}
offered
for sale (ke-la.com)
^{^}
ScreenConnect
(thehackernews.com)
^{^}
RemoteUtilities
(thehackernews.com)
^{^}
integrated MSP software
(syncromsp.com)
^{^}
malware
components (www.deepinstinct.com)
^{^}
attacks
(thehackernews.com)
^{^}
noted
(thehackernews.com)
^{^}
Twitter 
(twitter.com)
^{^}
LinkedIn
(www.linkedin.com)