MuddyWater Uses SloughRAT To Target Turkey and Arabian Peninsula

Ongoing attacks

• The recent wave of attacks launched by the hacking crew distributed malware-laced documents through phishing messages to deploy SloughRAT.
• The threat group is believed to have use unauthorized access to carry out espionage and theft of intellectual property by deploying ransomware and destructive malware on targeted networks.

Infection chain

• An Excel file laden with malicious macro triggers the infection chain to drop two Windows Script files on the endpoint, with the first one executing the next-stage payload.
• Further, two additional script-based implants are discovered, one coded in JavaScript and the other written in Visual Basic. Both are developed to download and execute arbitrary code and malicious commands on the networks of the targeted host.

Additional insights

• The recent intrusions appear to be a continuation of a November 2021 campaign targeting Turkish entities. In fact, the attacks overlapped in TTPs and regional targeting between the MuddyWater campaigns from March 2021.
• The similarities in tactics and techniques make it more likely that these attacks are distinct, yet have some connection with each other. Possibly they are sharing TTPs among different campaigns in the form of coordinated operational teams working separately.

Conclusion