Operation Quicksand: MuddyWater Group Dipping its Toes into Ransomware Deployments

MuddyWater, a known Iranian state-sponsored hacking group, has been deploying ransomware to hide intrusions in its recent attacks. Recently, it was found leveraging a new tool for its attack campaigns.

Latest discovery

ClearSky and Profero researchers have released a report linking a recent campaign with the MuddyWater group.
  • After close analysis, the ClearSky researchers attributed Operation Quicksand to the MuddyWater group.
  • The campaign mainly targeted many prominent organizations in Israel and other countries around the world.
  • This report links the MuddyWater group to the PowGoop downloader. In September, Palo Alto had published a report about the PowGoop variant of Thanos ransomware without attributing it to any known threat actor.

Primary attack vectors

The MuddyWater attack patterns included two primary attack vectors during their potentially destructive attacks.
  • Firstly, MuddyWater used phishing emails to send a malicious decoy document (PDF or Excel) that would download and install a malware strain (PowGoop) from the hackers' servers.
  • In the second scenario, MuddyWater relied on the exploitation of a remote code execution vulnerability (CVE-2020-0688) in unpatched Microsoft Exchange software and deploying the same payload via .aspx file (WebShell).
  • Additionally, MuddyWater used a few malicious files, as well as legitimate files, along with self-developed tools.

Last MuddyWater attack

Recently, the MuddyWatter group was found exploiting the Zerologon vulnerability (CVE-2020-1472) to take over domain controllers (DC) servers, the centerpieces of most enterprise networks that can enable intruders to gain full control over their targets.

Worth noting

MuddyWater has raised its level of sophistication over the past few years. Mainly in 2020, MuddyWater has switched its focus from stealthy intelligence collection to disruptive and destructive attack tactics. Operation Quicksand has raised a question about the MuddyWater’s involvement in past Thanos ransomware attacks.