article featured image


MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury, and is famous for its attacks in the Middle East. Its primary targets include government and educational institutions, as well as cryptocurrency, telecommunications, and oil companies.

Among the recent attacks carried out by the threat actor have been the exploitation of the ZeroLogon (CVE-2020-1472) vulnerability, as well as the use of remote desktop management tools such as ScreenConnect and Remote Utilities to deliver custom malware that could allow the cybercriminals to gain unauthorized access to confidential data.

Hacking attacks against entities in Central and Southwest Asia, as well as against numerous public and privately-held organizations from Europe, Asia, and North America have been traced back to the group. The group has been linked to attacks against entities in the telecommunications, government (information technology services), oil, and airline industries.

To deploy obfuscated PowerShell-based downloaders and obtain initial access to targeted networks during assaults, the threat actors employ a variety of file formats, such as PDFs, XLS files, and Windows executables, to disguise themselves as legitimate files.

What Happened?

As BleepingComputer reports, Turkish commercial companies and government institutions are being targeted by the Iranian-backed hacker MuddyWater, which has launched a new harmful campaign against them.

The assaults begin with spear-phishing, in which files with Turkish language names are used to impersonate papers from the country’s Health or Interior ministries.

The MuddyWater threat actors use two infection chains as part of their assault, both of which begin with the delivery of a PDF file. First, if you open a PDF file that has an embedded button that when you click on it, it will download an XLS file.

A typical XLS document with malicious VBA macros included in it is used to start the infection process and create persistence by generating a new Registry entry.

A VBScript is downloaded with the help of a PowerShell downloader and run via a “living off the land” DLL in order to avoid detection, with the major payload being retrieved from the C2.

Although the second infection chain makes use of an EXE file rather than an XLS file, it retains the PowerShell downloader, the intermediary VBScript, and the addition of a new registry entry for persistent infection.

In comparison to previous campaigns, one noticeable feature in this campaign is the usage of canary tokens to monitor code executions and any future infections on nearby systems.

The token is hidden inside the malicious attachment or within the email itself, and it signals the threat actors when the victim opens the bait and runs the macro included within it.

As the maldocs were evolving, some of the metadata details were removed or generalized, and eventually, the latest versions consisted of obfuscated PowerShell payloads residing in the comments field.

The malicious VBA macros consisted of the same set of functionalities for creating the malicious VBS and PS1 scripts, and achieving persistence across reboots. However, there was one interesting addition to the macro functionality now. The latest versions of the VBA code deployed could make HTTP requests to a canary token from canarytokens.com.

Canary tokens are tokens that can be embedded in objects like documents, web pages and emails. When that object is opened, an HTTP request to canarytokens.com is generated, alerting the token’s owner that the object was opened.


Additionally, these tokens may be employed as anti-analysis tools, since they provide timestamps to the actors and make it simple to discover research/analysis-induced errors.

If the token makes requests but the payload isn’t retrieved, this serves as an indicator that the payload server has been blocked, providing the actors with vital information about the situation and prompting them to explore alternate means of delivering their payload.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *