Threats Feed

In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

The Iranian APT group ENT-11, also known as MuddyWater, has been using a variant of the PowGoop malware, dubbed "E400", targeting foreign governments, telecommunications, energy sectors, intergovernmental economic cooperation organizations, and the banking sector, primarily in the Middle East. Insights from NTT Security revealed dozens of PowGoop command and control servers dating back to October 2020. The group appears to be winding down operations with the E400-PowGoop variant, but it is expected to continue modifying its tools and creating new variants.

The Iranian cyber espionage group UNC3313, also known as TEMP.Zagros and MuddyWater, has been identified as the perpetrator of a series of cyber attacks on Middle Eastern government and technology entities. The group used new targeted malware, GRAMDOOR and STARWHALE, to exploit vulnerabilities and gain unauthorized access. UNC3313 also utilized publicly available remote access software and modified open-source offensive security tools for lateral movement within the targeted systems. The group's activities suggest a strong focus on geopolitical targets and the telecommunications sector in the Middle East. The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior, indicating the group's efforts to evade detection.

The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

An espionage campaign tentatively linked to the Iranian-backed Seedworm group has been using compromised organizations as stepping stones to additional victims or targets that may have been compromised solely to perform supply-chain-type attacks on other organizations. The attackers primarily used legitimate tools, publicly available malware, and living-off-the-land tactics, with a significant interest in Exchange Servers. While the ultimate end goal remains unknown, the focus on telecom operators suggests the attackers are gathering intelligence on the sector, potentially pivoting into communications surveillance.

The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

The cyberespionage group, Static Kitten, launched a cyber attack primarily targeting the government sectors of the United Arab Emirates (UAE) and Kuwait. Using geopolitical lures and masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait, the attackers aimed to install a remote management tool called ScreenConnect on victims' devices. The campaign involved phishing emails, URL masquerading, and delivering ZIP files that purport to contain relevant documents but instead initiate the ScreenConnect installation process.

The espionage group Seedworm (aka MuddyWater) has been actively targeting government organizations, telecoms, and computer services sectors across the Middle East, including Iraq, Turkey, Kuwait, the United Arab Emirates, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. Seedworm's recent activities, linked to the PowGoop tool, involve PowerShell usage, credential dumping, and DLL side-loading. The group establishes connections to its infrastructure using Secure Sockets Funneling and Chisel while deploying PowGoop through remote execution tools. The connection between PowGoop and Seedworm remains tentative, suggesting potential retooling.

In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.

A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.

This report investigates the PRB-Backdoor, a powerful and multifunctional piece of malware suspected to be associated with the MuddyWater group. The malware is deployed via a macro-enabled Word document, utilizing PowerShell scripts for execution. It employs obfuscation techniques to conceal its activities and communicates with a command and control server over HTTP. The backdoor has a plethora of functionalities, including keylogging, screen capturing, system information collection, and password theft. The backdoor seems to be new and unique, with no references found in any public source.

The MuddyWater or Temp.Zagros group has resumed its activities after a perceived quiet phase, with recent samples revealing additional obfuscation layers. The group continues to use PowerShell, targeting regions such as Turkey, Iraq, and Pakistan, with a potential focus on governmental sectors. The recent malicious documents include a new variant of the POWERSTATS backdoor, with anti-analysis and debugging features such as BSOD functionality. They have also included checks for security software and process names to impair defensive measures.

The Iran-affiliated threat actor, TEMP.Zagros, orchestrated a spear-phishing campaign from January to March 2018, primarily targeting individuals across Turkey, Pakistan, Tajikistan, and India. This actor leveraged malicious macro-based documents with geopolitical themes to install the POWERSTATS backdoor on victims' systems. The campaign exhibited evolving tactics over time, employing both VBS files and INF/SCT files to indirectly execute PowerShell commands. The installed malware demonstrated a range of functionalities, from system data extraction and screenshot capture to checks for security tools and remote command execution.