MuddyWater, an Iranian state-sponsored threat actor, has been linked to a fresh wave of attacks to distribute remote access trojans (RATs) on compromised computers in Turkey and the Arabian Peninsula.
“The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise,” Cisco Talos researchers Asheer Malhotra, Arnaud Zobec, and Vitor Ventura said in a recently published report.
The gang, which has been operating since at least 2017, is renowned for attacks on various industries that aid Iran’s geopolitical and national security goals. The US Cyber Command ascribed the actor to the country’s Ministry of Intelligence and Security (MOIS) in January 2022. MuddyWater is also thought to be a “conglomerate of multiple teams operating independently rather than a single threat actor group,” the cybersecurity firm said, making it an umbrella actor similar to Winnti, a China-based advanced persistent threat (APT).
The hacker group’s most recent efforts entail using malware-laced documents supplied via phishing emails to introduce a remote access trojan known as SloughRAT (aka Canopy by CISA), which can execute arbitrary code and orders received from its command-and-control (C2) servers. The maldoc triggers the infection chain, an Excel file containing a malicious macro, which causes two Windows Script Files (.WSF) to be dropped on the endpoint, the first of which acts as the instrumentor to call and execute the next-stage payload.
The researchers speculated that the assaults are “distinct, yet related, clusters of activity,” with the operations employing a “broader TTP-sharing paradigm, typical of coordinated operational teams,” based on the similarity in tactics and methods used by the operators. The adversary set up scheduled activities to obtain VBS-based malicious downloaders, which enable the execution of payloads acquired from a remote server, in a second partial attack sequence identified by Cisco Talos between December 2021 and January 2022. The command’s output is then sent to the C2 server for further processing.