MuddyWater: The cyber-espionage group that targets Middle East countries

• The threat group primarily targets Middle East nations such as Saudi Arabia, Iraq, Israel, and the United Arab Emirates.
• The hacking tools used by the threat group includes Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, POWERSTATS backdoor, Powermud, and more.

MuddyWater threat group also known as Seedworm is an Iranian cyber-espionage group that primarily targets Middle East nations such as Saudi Arabia, Iraq, Israel, and the United Arab Emirates. The threat group also targets victims in India, the United States, Pakistan, and Turkey.

MuddyWater has been active throughout 2017, targeting organizations in the Middle East with phishing attacks between February and October 2017.

The hacking tools used by the threat group includes Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, POWERSTATS backdoor, Powermud, and more. The threat actor group has been associated with FIN7 threat group. Both the threat group have been spotted using DNSMessenger malware.

MuddyWater campaign targeting Saudi Arabia

In November 2017, Saudi Arabia was targeted as a part of the large hacking campaign. The campaign purported to come from the U.S. National Security Agency, Iraqi intelligence, Russian security firm Kaspersky, and the Kurdistan regional government. The emails included decoy documents with government logos to add legitimacy to the campaign.

MuddyWater campaign targeting Turkey, Pakistan, Tajikistan

In March 2019, MuddyWater campaign targeted Turkey, Pakistan, and Tajikistan. The campaign purported to come from government organizations such as the Ministry of Internal Affairs of the Republic of Tajikistan. The emails included malicious VBS file with government emblems and hundreds of hacked websites were used as proxies.

MuddyWater campaign distributes PRB backdoor

Researchers have spotted a new sample of the MuddyWater campaign targeting victims with Microsoft Word documents disguised as rewards or promotions. The documents were embedded with a malicious macro. This macro executes Powershell scripts that could download PRB backdoor payload.

PRB backdoor is capable of stealing passwords, reading and writing files to the computer, executing shell commands, recording keystrokes, capturing screenshots, gathering system information and updating its functions using commands from the server.

Targeting Turkish government organizations

In December 2018, researchers spotted a new PowerShell backdoor malware targeting Turkish government organizations connected to the energy and finance sectors. The new backdoor shares similarities with MuddyWater’s POWERSTATS backdoor.

This new backdoor is capable of harvesting information such as OS name, domain name, username, IP address, and more.

MuddyWater operations exposed via Telegram channels and Dark Web

In early May 2019, the operational data from the MuddyWater group has been published online via Telegram channels and websites on the Dark Web. The Green Leakers have put up for sale the data from the MuddyWater APT group on two Telegram channels and two Dark Web portals.

Since the data was put up for sale, the leakers did not release any tools for free. However, they posted the following,

• Images showing the source code of a C&C server used by the MuddyWater APT group.
• Images of MuddyWater C&C server backends
• Images of unredacted IP addresses of some of MuddyWater's victims.

BlackWater campaign

Recently, the threat group has updated its TTPs to bypass certain security controls while compromising systems as part of a new campaign dubbed BlackWater.

As part of the BlackWater campaign, the group has used an obfuscated Visual Basic for Applications (VBA) macro script which allows its malware to gain persistence on compromised Windows machines after the infection by adding a Run registry key.