Recently, the U.S. CISA, CNMF, FBI, NSA, and the NCSC-UK have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by MuddyWater. Ever since its launch, the Iranian government-sponsored APT group has targeted a wide range of government and private-sector organizations in Asia, Africa, Europe, and North America.
Under the MuddyWater’s sleeves
MuddyWater, which has been conducting broad cyber campaigns in support of the Iranian Ministry of Intelligence and Security (MOIS) objectives, has updated its arsenal with new tools.
- As part of its malicious activity, MuddyWater has been employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks.
- Its new weapon includes PowerShell backdoor scripts that are lightweight in functionality and use the InvokeScript method to execute responses received from the adversary.
- The obfuscated PowerShell scripts are used to conceal the most damaging parts of the attacks, including C2 functions.
Operational details
According to the CISA alert, MuddyWater has made some more enhancements to its existing tools as well.
- In recent attacks, MuddyWater used a new variant of PowGoop malware that functions as the main loader for downloading second-stage PowerShell scripts.
- It consists of a DLL file to hide communications with MuddyWater C2 servers by executing with the Google Update service and a PowerShell-based downloader.
- Small Sieve, a Python-based implant, provides a basic functionality required to maintain and expand a foothold in victim infrastructure by leveraging the Telegram API for C2 communications to evade detection.
- Other key pieces of malware used by the gang are Canopy/Starwhale malware, which uses Windows Script File (.wsf) scripts to collect and transmit system metadata to an adversary-controlled IP address
- Additionally, two backdoors called Mori and POWERSTATS are used to communicate with the group’s C2 infrastructure and maintain persistent access, respectively.
Conclusion
Highly motivated threat actors such as MuddyWater with a broad range of multiple malware sets can conduct sophisticated espionage, intellectual property theft, and destructive malware campaigns. To stay protected, the CISA recommends organizations to use multi-factor authentication wherever applicable, limit the use of administrator privileges, implement phishing protections, and prioritize patching known exploited vulnerabilities.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3c2b_shutterstock_153331592.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_393545092.jpg)
