MuddyWater APT group’s new phishing campaign expands attacks to target new nations

• The APT group has previously targeted government agencies across Middles, Europe and US.
• The new phishing campaign targeted Jordan, Turkey, Pakistan, and Azerbaijan.

The MuddyWater threat group, which surfaced in 2017, is involved in a new, ongoing phishing campaign that is designed to expand the group’s target base. MuddyWater has previously targeted government agencies across Middles, Europe and US.

However, the group’s new campaign was found targeting government agencies, military organizations, telecommunication entities, and educational institutions across Turkey, Pakistan and Azerbaijan.

Modus operandi

In its new campaign, MuddyWater uses social engineering tactics to trick users into enabling macros. A wide assortment of compromised hosts is being used to deliver attacks to the targets.

“Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali,” Kaspersky Lab researchers, who discovered the new MuddyWater campaign, wrote in a blog. “The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.”

Attribution

The researchers were able to trace the campaign back to the hacker group thanks to PowerShell scripts used in the attack, that was previously observed by the experts. The malicious documents used by the attackers contained embedded paths that also helped the researchers trace the malicious activities to the APT group.

“Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not entirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule out the possibility of false flags, with the attackers using random usernames to confuse researchers,” the researchers added.

The new campaign indicates that MuddyWater is actively improving its attack toolkit and adopting techniques designed to evade detection. The group also appears to be expanding its target base, with little to no evidence of the possibility to slowing down attacks.