Threats Feed

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.

A recent phishing campaign has targeted Armenian individuals through a benign Word document containing a link that directs users to a fake CAPTCHA page. Victims who follow the prompts inadvertently activate a "PasteJacking" technique, where malicious PowerShell code is silently copied and executed in the system's Run box. This script installs PDQ RMM, a legitimate remote management tool, granting attackers remote access without relying on traditional malware. Indicators point to possible attribution to MuddyWater, based on specific social engineering tactics, PowerShell usage, and open-source adaptations, although a definitive link remains unconfirmed. The incident underscores the use of targeted social engineering attacks against Armenian-speaking users, with potential geopolitical implications.

MuddyWater has ramped up cyber activities targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal amid the Israel-Hamas war. Their campaigns utilize phishing emails from compromised accounts, deploying RMM tools like Atera Agent and the new BugSleep backdoor. BugSleep, under continuous development, executes commands and transfers files to C&C servers. The group targets various sectors, including Israeli municipalities, airlines, and journalists. They exploit platforms like Egnyte for phishing and use techniques such as sandbox evasion and process injection. Over 50 spear phishing emails have targeted multiple sectors since February 2024.

The MuddyWater group has updated its tactics in targeting entities in Turkey, Azerbaijan, Jordan, Saudi Arabia, and Israel. The group shifted from using the Atera RMM tool to deploying a new implant called MuddyRot. Recent campaigns involved spear phishing with PDF-embedded links, leading to malware downloads. MuddyRot features reverse shell capabilities, dynamic API loading, and obfuscated communication over port 443. It establishes persistence via scheduled tasks and exploits public-facing applications for initial access. This campaign primarily targets sectors involving Western and Middle Eastern entities.

Seedworm, also known as MuddyWater, is exploiting the Atera Agent, a legitimate remote monitoring and management (RMM) tool, in its spear-phishing campaigns. The group uses Atera’s 30-day free trial offers to register agents with compromised email accounts, enabling them to access targeted systems remotely without needing their own command-and-control infrastructure. These capabilities include file upload/download, interactive shell access, and AI-powered command assistance through Atera’s web UI. Seedworm distributes the malicious RMM installers hosted on free file platforms via spear-phishing emails, though the specific targeted countries and sectors are not mentioned in the report.

The Iranian state-sponsored threat actor MuddyWater has escalated its cyberattacks using the Atera Agent, a legitimate remote monitoring and management (RMM) tool. By exploiting Atera's free trial offers, MuddyWater registered agents with compromised or purpose-created email accounts and distributed them through spearphishing campaigns. The group's advanced social engineering and operational security tactics facilitated stealthier operations. Targeted sectors include Airlines, IT, Telecommunications, Pharmaceuticals, Automotive Manufacturing, Logistics, Travel and Tourism, and Employment/Immigration agencies across Israel, India, Algeria, Turkey, Italy, and Egypt.

In October 2023, the MuddyWater APT group launched new campaigns targeting North and East Africa with its MuddyC2Go toolkit, shifting to Atera, ConnectWise ScreenConnect, Advanced Monitoring Tool, and MeshCentral RMM software in February 2024. These attacks, announced by the Israeli CERT and detected on social media, target specific organizations or individuals through spear-phishing emails containing malicious links or files. The group employs third-party file upload services, including onehub.com, freeupload.store, and others, for malware distribution. The attacks customize RMM software using compromised business email accounts to increase the likelihood of victim engagement. The targeted sectors include telecommunications, with a notable attack on a Turkish company, indicating a politically motivated campaign.

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

MuddyWater, an Iranian state-sponsored APT linked to the Ministry of Intelligence and Security (MOIS), focuses on cyber espionage and IP theft, occasionally using ransomware to disguise its activities. Active since 2017, the group primarily targets the Middle East, including Turkey, Israel, the UAE and Pakistan, with attacks extending to Europe, Asia, Africa and North America. Its targets span the government, defence, healthcare, energy, financial services, and education sectors. Using spear phishing, DNS tunneling and tools such as SimpleHelp, PowerShell and PowGoop, MuddyWater employs credential dumping, lateral movement and persistent remote access. Recent campaigns include phishing attacks against Turkish agencies and Israeli companies.

The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

The Iranian-linked conglomerate MuddyWater, utilizing subgroups focused on regional targets, has launched sophisticated cyberattacks against Turkey, Armenia, and Pakistan through various campaigns. Employing tactics such as spearphishing with malicious attachments, PowerShell-based downloaders, and maldoc-based infection vectors, these campaigns primarily leveraged obfuscated files and malicious macros to establish persistence, execute arbitrary commands, and gather system information. Notably, the attackers used a token-tracking system to monitor infection success rates and deployed the SloughRAT for command and control, alongside VBS and JS-based downloaders for further infiltration.

The Iranian-linked conglomerate MuddyWater, utilizing subgroups focused on regional targets, has launched sophisticated cyberattacks against Turkey, Armenia, and Pakistan through various campaigns. Employing tactics such as spearphishing with malicious attachments, PowerShell-based downloaders, and maldoc-based infection vectors, these campaigns primarily leveraged obfuscated files and malicious macros to establish persistence, execute arbitrary commands, and gather system information. Notably, the attackers used a token-tracking system to monitor infection success rates and deployed the SloughRAT for command and control, alongside VBS and JS-based downloaders for further infiltration.

The analysis by multiple cybersecurity agencies, including the FBI and NSA, reveals MuddyWater's extensive use of the POWGOOP malware family among other malicious tools in cyber espionage activities. Targeting sectors such as telecommunications, defense, local government, and oil and natural gas, MuddyWater has impacted organizations across Asia, Africa, Europe, and North America. The analyzed malware employed techniques like DLL side-loading, PowerShell scripts for command execution, and data exfiltration via encrypted channels to C2 servers. These actions are part of a broader Iranian government-sponsored initiative, indicating a significant threat to global security infrastructure.

The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

A new malware strain, potentially linked to the MuddyWater APT group, uses Word files with macros to deploy PowerShell scripts from GitHub, which then download an image from Imgur. The image's pixel values decode a Cobalt Strike payload. This method, involving steganography, enables attackers to execute commands and establish remote control over Windows systems. The attack primarily targets Middle Eastern entities, using phishing emails to distribute malicious Word documents.

In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.