MuddyWater APT Cybercrime Group Associated to Iranian Intelligence, the U.S. Cyber Command Confirms
MuddyWater Activity Analysis Indicates that the APT’s Methods Continue to Develop and Adapt.
Yesterday, MuddyWater’s ties to the Iranian intelligence establishment were officially confirmed by the United States Cyber Command (USCYBERCOM). The espionage hacker’s numerous open-source tools and strategies for hacking into victim systems were also disclosed.
USCYBERCOM’s Cyber National Mission Force (CNMF) stated:
MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
The agency described the cyberattacks as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), confirming previous reports about the origins of the threat actor.
More on MuddyWater
The MuddyWater Advanced Persistent Threat (APT), also known as Static Kitten, Seedworm, Mercury, and TEMP.Zagros, is notorious for its attacks in the Middle East, primarily targeting governments, educational institutions, cryptocurrency, telecommunications, and oil companies.
The cybercrime organization is thought to have been operational since at least 2017.
Recent attacks organized by the threat actor have included abusing the ZeroLogon (CVE-2020-1472) flaw as well as leveraging remote desktop management tools such as ScreenConnect and Remote Utilities to deliver custom malware that could allow the cybercriminals to obtain unauthorized access to confidential information.
According to The Hacker News, last month, Symantec’s Threat Hunter Team released information about a new wave of cyberattacks carried out by the Muddywater APT against several telecommunications and IT companies in the Middle East and Asia. The threat actors utilized a combination of legitimate tools, publicly available malware, and living-off-the-land (LotL) techniques.
The MuddyWater’s toolkit also includes the Mori backdoor and PowGoop malware, a DLL loader developed to decrypt and execute a PowerShell-based script that establishes network contact with a remote server.
Malware samples associated with the MuddyWater are now available on VirusTotal, an online malware scanning tool that uses 57 different antivirus detection engines and can be found here.
Analysis of MuddyWater activity suggests the group continues to evolve and adapt its techniques. While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.