New Malware Campaign by Iranian Hackers Targets Turkey and Arabian Peninsula 

New Malware Campaign by Iranian Hackers Targets Turkey and Arabian Peninsula 

MuddyWater, an Iranian state-sponsored threat actor, has been linked to a fresh wave of attacks to distribute remote access trojans (RATs) on compromised computers in Turkey and the Arabian Peninsula. 

“The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise,” Cisco Talos researchers Asheer Malhotra, Arnaud Zobec, and Vitor Ventura said in a recently published report. 

The gang, which has been operating since at least 2017, is renowned for attacks on various industries that aid Iran’s geopolitical and national security goals. The US Cyber Command ascribed the actor to the country’s Ministry of Intelligence and Security (MOIS) in January 2022. MuddyWater is also thought to be a “conglomerate of multiple teams operating independently rather than a single threat actor group,” the cybersecurity firm said, making it an umbrella actor similar to Winnti, a China-based advanced persistent threat (APT). 

The hacker group’s most recent efforts entail using malware-laced documents supplied via phishing emails to introduce a remote access trojan known as SloughRAT (aka Canopy by CISA), which can execute arbitrary code and orders received from its command-and-control (C2) servers. The maldoc triggers the infection chain, an Excel file containing a malicious macro, which causes two Windows Script Files (.WSF) to be dropped on the endpoint, the first of which acts as the instrumentor to call and execute the next-stage payload. 

Two further script-based implants, written in Visual Basic and JavaScript, were also uncovered. These are designed to download and perform malicious commands on the infected host. Furthermore, the recent incursions are a continuation of a November 2021 campaign that used PowerShell-based backdoors to acquire information from Turkish private businesses and government entities, as well as overlaps with another campaign that occurred in March 2021. 

The researchers speculated that the assaults are “distinct, yet related, clusters of activity,” with the operations employing a “broader TTP-sharing paradigm, typical of coordinated operational teams,” based on the similarity in tactics and methods used by the operators. The adversary set up scheduled activities to obtain VBS-based malicious downloaders, which enable the execution of payloads acquired from a remote server, in a second partial attack sequence identified by Cisco Talos between December 2021 and January 2022. The command’s output is then sent to the C2 server for further processing. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: