Latest Update22/11/2024

Threats Feed

  1. Public

    MuddyWater's Covert Phishing Campaign Targets Israeli Government Sectors

    In March 2024, the National Cyber Directorate of Israel detected a sophisticated phishing campaign attributed to the Iranian group MuddyWater. This campaign, primarily targeting government and local government sectors in Israel, employs phishing emails with links to malicious ZIP files hosted on Onehub. These files contain the ScreenConnect tool, which enables remote control over compromised computers, allowing for sustained network access. MuddyWater is known for its expertise in social engineering and exploiting vulnerabilities, actively targeting sectors like aviation, academia, communications, government, and energy. Their focus is on maintaining a stealthy presence to facilitate further malicious activities.

    read more about MuddyWater's Covert Phishing Campaign Targets Israeli Government Sectors
  2. Public

    Phishing Campaign Targets Albanian Government with Microsoft Exchange Vulnerability

    A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

    read more about Phishing Campaign Targets Albanian Government with Microsoft Exchange Vulnerability
  3. Public

    MuddyWater Upgrades: The Emergence of PhonyC2 Framework

    Deep Instinct's research team has uncovered a new Command and Control (C2) framework named PhonyC2, which is believed to be linked to the threat group MuddyWater. The PhonyC2 framework was found on a server connected to infrastructure previously used by MuddyWater in various cyberattacks, including the assault on Technion in Israel. This discovery suggests PhonyC2 is MuddyWater's latest tool for orchestrating cyber espionage and it's used in an active PaperCut exploitation. The code analysis revealed structural and functional similarities to MuddyWater's previous C2 frameworks (MuddyC3), reinforcing the attribution.

    read more about MuddyWater Upgrades: The Emergence of PhonyC2 Framework
  4. Public

    MERCURY and DEV-1084's Destructive Cyber Operations Against Cloud and On-Premises Environments

    MERCURY and DEV-1084, associated with the Iranian government, orchestrated a destructive operation targeting on-premises and cloud environments under the guise of a standard ransomware campaign. The attack chain involved exploiting unpatched vulnerabilities for initial access, extensive reconnaissance, persistence establishment, and lateral movement within the network. High-privilege credentials were used to create widespread destruction of resources. The attackers also breached Azure AD environments to cause further damage and data loss. They conducted extensive mailbox operations and sent emails internally and externally impersonating high-ranking employees.

    read more about MERCURY and DEV-1084's Destructive Cyber Operations Against Cloud and On-Premises Environments
  5. Public

    Spearphishing and Syncro: The Tools of MuddyWater's Recent Cyber Attacks

    The MuddyWater group has launched a campaign targeting countries including Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the UAE. The group has employed the remote administration tool "Syncro" and used spear-phishing techniques, leveraging Dropbox and OneDrive to deliver the malicious Syncro MSI installer. The threat actors also utilized legitimate corporate email accounts to distribute their phishing emails. The sectors notably targeted include the data hosting, hospitality, and insurance sectors.

    read more about Spearphishing and Syncro: The Tools of MuddyWater's Recent Cyber Attacks
  6. Public

    MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel

    The Iran-based threat actor MERCURY, linked to Iran's Ministry of Intelligence and Security (MOIS), was detected exploiting Log4j 2 vulnerabilities in SysAid applications against organizations in Israel. Using these exploits for initial access, MERCURY established persistence, dumped credentials, and moved laterally within the targeted organizations. The actor also utilized both custom and well-known hacking tools alongside built-in operating system tools. Microsoft has implemented detections against MERCURY's tools in its Defender Antivirus and Defender for Endpoint and has directly notified customers targeted or compromised by MERCURY.

    read more about MERCURY Turns to SysAid Applications for Targeted Cyberattacks in Israel
  7. Public

    MuddyWater's Malicious Macros: A Long-Term Threat to Middle Eastern Nations

    The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

    read more about MuddyWater's Malicious Macros: A Long-Term Threat to Middle Eastern Nations
  8. Public

    ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

    The Iranian APT group ENT-11, also known as MuddyWater, has been using a variant of the PowGoop malware, dubbed "E400", targeting foreign governments, telecommunications, energy sectors, intergovernmental economic cooperation organizations, and the banking sector, primarily in the Middle East. Insights from NTT Security revealed dozens of PowGoop command and control servers dating back to October 2020. The group appears to be winding down operations with the E400-PowGoop variant, but it is expected to continue modifying its tools and creating new variants.

    read more about ENT-11: Iranian APT Group's PowGoop Attacks Uncovered
  9. Public

    The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

    The Iranian cyber espionage group UNC3313, also known as TEMP.Zagros and MuddyWater, has been identified as the perpetrator of a series of cyber attacks on Middle Eastern government and technology entities. The group used new targeted malware, GRAMDOOR and STARWHALE, to exploit vulnerabilities and gain unauthorized access. UNC3313 also utilized publicly available remote access software and modified open-source offensive security tools for lateral movement within the targeted systems. The group's activities suggest a strong focus on geopolitical targets and the telecommunications sector in the Middle East. The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior, indicating the group's efforts to evade detection.

    read more about The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected
  10. Public

    MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

    The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

    read more about MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors
  11. Public

    Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East

    The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

    read more about Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East
  12. Public

    Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services

    An espionage campaign tentatively linked to the Iranian-backed Seedworm group has been using compromised organizations as stepping stones to additional victims or targets that may have been compromised solely to perform supply-chain-type attacks on other organizations. The attackers primarily used legitimate tools, publicly available malware, and living-off-the-land tactics, with a significant interest in Exchange Servers. While the ultimate end goal remains unknown, the focus on telecom operators suggests the attackers are gathering intelligence on the sector, potentially pivoting into communications surveillance.

    read more about Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services
  13. Public

    MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion

    The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

    read more about MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion
  14. Public

    Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors

    The cyberespionage group, Static Kitten, launched a cyber attack primarily targeting the government sectors of the United Arab Emirates (UAE) and Kuwait. Using geopolitical lures and masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait, the attackers aimed to install a remote management tool called ScreenConnect on victims' devices. The campaign involved phishing emails, URL masquerading, and delivering ZIP files that purport to contain relevant documents but instead initiate the ScreenConnect installation process.

    read more about Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors
  15. Public

    Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections

    The espionage group Seedworm (aka MuddyWater) has been actively targeting government organizations, telecoms, and computer services sectors across the Middle East, including Iraq, Turkey, Kuwait, the United Arab Emirates, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. Seedworm's recent activities, linked to the PowGoop tool, involve PowerShell usage, credential dumping, and DLL side-loading. The group establishes connections to its infrastructure using Secure Sockets Funneling and Chisel while deploying PowGoop through remote execution tools. The connection between PowGoop and Seedworm remains tentative, suggesting potential retooling.

    read more about Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections
  16. Public

    Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics

    In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

    read more about Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics
  17. Public

    MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector

    The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

    read more about MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector
  18. Public

    Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors

    Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

    read more about Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors
  19. Public

    MuddyWater Expands Cyberattacks with Two-Stage Spear-phishing Campaign Targeting Lebanon and Oman

    The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

    read more about MuddyWater Expands Cyberattacks with Two-Stage Spear-phishing Campaign Targeting Lebanon and Oman
  20. Public

    MuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors

    The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.

    read more about MuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors
  21. Public

    Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload

    A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.

    read more about Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload
  22. Public

    PRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered

    This report investigates the PRB-Backdoor, a powerful and multifunctional piece of malware suspected to be associated with the MuddyWater group. The malware is deployed via a macro-enabled Word document, utilizing PowerShell scripts for execution. It employs obfuscation techniques to conceal its activities and communicates with a command and control server over HTTP. The backdoor has a plethora of functionalities, including keylogging, screen capturing, system information collection, and password theft. The backdoor seems to be new and unique, with no references found in any public source.

    read more about PRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered
  23. Public

    Cyber Espionage Evolution: MuddyWater’s Obfuscation Techniques and Anti-Analysis Measures

    The MuddyWater or Temp.Zagros group has resumed its activities after a perceived quiet phase, with recent samples revealing additional obfuscation layers. The group continues to use PowerShell, targeting regions such as Turkey, Iraq, and Pakistan, with a potential focus on governmental sectors. The recent malicious documents include a new variant of the POWERSTATS backdoor, with anti-analysis and debugging features such as BSOD functionality. They have also included checks for security software and process names to impair defensive measures.

    read more about Cyber Espionage Evolution: MuddyWater’s Obfuscation Techniques and Anti-Analysis Measures
  24. Public

    Multi-Stage Spear Phishing Attack Traced to Iran: TEMP.Zagros in Action

    The Iran-affiliated threat actor, TEMP.Zagros, orchestrated a spear-phishing campaign from January to March 2018, primarily targeting individuals across Turkey, Pakistan, Tajikistan, and India. This actor leveraged malicious macro-based documents with geopolitical themes to install the POWERSTATS backdoor on victims' systems. The campaign exhibited evolving tactics over time, employing both VBS files and INF/SCT files to indirectly execute PowerShell commands. The installed malware demonstrated a range of functionalities, from system data extraction and screenshot capture to checks for security tools and remote command execution.

    read more about Multi-Stage Spear Phishing Attack Traced to Iran: TEMP.Zagros in Action