Since the dawn of the digital age, Iranian threat actors have been infamous for their attacks on critical infrastructure facilities, government agencies, and corporate networks. One such threat actor rising to prominence is the MuddyWater group (aka SeedWorm).

What’s new about MuddyWater?

Since the very beginning of 2021, the MuddyWater APT group has been creative about its tactics and techniques that were part of the recent attack campaigns.
  • In March, Trend Micro attributed the politically-motivated hacking group to a newly discovered cyber espionage campaign dubbed Earth Vetala.
  • The campaign made use of spear-phishing emails, along with two known remote admin tools such as ScreenConnect and RemoteUtilities, to target organizations in multiple countries.
  • Moreover, Malwarebytes revealed details about a new APT group named LazyScripter that shares some distinct similarities with the MuddyWater’s (aka Static Kitten or MERCURY) TTPs from the past campaigns.
  • In January, the MuddyWater APT was spotted with a new piece of malware added to its arsenal. Distributed via weaponized Word documents, the malware was ultimately used to deploy the Cobalt Strike payload.

What are their survival tactics?

  • While the infection chain and malware differed from campaign to campaign, they all were initiated via malicious email lures.
  • Furthermore, the primary focus of the group was on making their tools more flexible and complex in order to evade security checks.

What else?

  • The extensive and aggressive Earth Vetala cyber espionage campaign represents a serious threat for organizations.
  • Researchers claim that the attackers have shown higher levels of technical skill in launching the attack.

Bottom line

Active since 2017, the MuddyWater hacking group has been associated with several offensive attacks in the Middle East. Moreover, their attacks are characterized by the use of a slowly evolving PowerShell-based first-stage backdoor called POWERSTATS. Going by the latest attack patterns and evolving techniques, it is likely that attackers are expanding their operations to other countries.

Cyware Publisher