A new malicious effort is carried out by the Iranian-backed MuddyWater hacking gang, targeting private Turkish enterprises and government agencies. The US Cyber Command (USCYBERCOM) connected this cyber-espionage cell (also known as SeedWorm, Mercury, or TEMP.Zagros) to Iran’s Ministry of Intelligence and Security (MOIS) earlier this month.
The hacking gang has been linked to cyberattacks on businesses in Central and Southwest Asia, as well as a slew of public and private companies in the telecoms, government (IT services), oil, and aviation industries from Europe, Asia, and North America. When carrying out attacks, threat actors employ numerous file formats such as PDFs, XLS files, and Windows executables to deploy obfuscated PowerShell-based downloaders and obtain initial access to targeted networks.
According to a new study from Cisco Talos, MuddyWater is linked to recent attacks on Turkish commercial companies and government bodies. The attacks begin with spear-phishing, which employs files with Turkish names that appear to be from the country’s Health or Interior ministries.
The MuddyWater threat actors deploy two infection chains in the attack, the first of which begins with the delivery of a PDF file. In the first scenario, the PDF has an embedded button that, when clicked, opens an XLS file. These files are standard XLS documents with malicious VBA macros that start the infection process and keep it going by establishing a new Registry key. To avoid detection, a VBScript is downloaded via a PowerShell downloader and launched using a “living off the land” DLL, getting the primary payload from the C2.
The second infection chain employs an EXE file rather than an XLS, but it still uses the PowerShell downloader, intermediary VBScript, and a new registry key for persistence. Compared to previous ones, the use of canary tokens to monitor code executions and any subsequent infections on surrounding systems is a significant distinction in this campaign. When the victim opens the bait and executes the macro, the token hides inside the malicious attachment or the email itself, alerting the threat actors.
“The malicious VBA macros consisted of the same set of functionalities for creating the malicious VBS and PS1 scripts, and achieving persistence across reboots,” clarifies the Cisco Talos report. “However, there was one interesting addition to the macro functionality now. The latest versions of the VBA code deployed could make HTTP requests to a canary token from canarytokens.com.”
These tokens may also be employed as anti-analysis tools, giving actors timestamps and making it easier to spot research/analysis-induced errors. Finally, suppose the token sends requests, but the payload isn’t obtained. In that case, it means the payload server is banned, providing the actors with helpful information and prompting them to look for alternate delivery options.
Based on the identified technical indications, tactics, processes, and C2 infrastructure, the researchers ascribe these cyberattacks to the MuddyWater group. Some of the C2 IP addresses used in this campaign were previously discovered by Turkish authorities and are now included in official threat alerts. Cisco also has substantial evidence pointing to Iranian perpetrators in the form of code and metadata similarities, as well as other signs that they didn’t disclose owing to intelligence sharing sensitivities.