By
Asheer Malhotra,
Vitor Ventura and
Arnaud Zobec.
-
Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran's Ministry of Intelligence and Security (MOIS).
-
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.
-
Another new campaign targeting the Arabian peninsula deploys a WSF-based RAT we're calling "SloughRAT", identified as an implant called "canopy" by CISA in their advisory released in late February.
-
Based on a review of multiple MuddyWater campaigns, we assess that the Iranian APT is a conglomerate of multiple teams operating independently rather than a single threat actor group.
-
The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise.
Executive summary
Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe.
Talos disclosed a MuddyWater
campaign in January targeting Turkish entities that leveraged maldocs and executable-based infection chains to deliver multistage, PowerShell-based downloader malware. This group previously used the same tactics to target other countries in Asia, such as Armenia and Pakistan.
In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we're calling "SloughRAT" an implant known by "
canopy" in CISA's most recent alert from February 2022 about MuddyWater.
This trojan, although obfuscated, is relatively simple and attempts to execute arbitrary code and commands received from its command and control (C2) servers.
Our investigation also led to the discovery of the use of two additional script-based implants: one written in Visual Basic (VB) (late 2021 - 2022) and one in JavaScript (2019 - 2020), which also downloads and runs arbitrary commands on the victim's system.
MuddyWater's variety of lures and payloads — along with the targeting of several different geographic regions — strengthens our growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor. These sub-groups have conducted campaigns against a variety of industries such as
national and local governments and ministries,
universities and private entities such as
telecommunication providers. While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target.
A variety of campaigns analyzed are marked by the development and use of distinct infection vectors and tools to gain entry, establish long-term access, siphon valuable information and monitor their targets. The MuddyWater teams appear to share TTPs, as evidenced by the incremental adoption of various techniques over time in different MuddyWater campaigns. We represent this progression in a detailed graphic in the first main section of this blog.