Threats Feed

The research team at Palo Alto Networks has discovered a group of targeted cyber-attacks against the Middle East region that occurred between February and October 2017, carried out by "MuddyWater". These attacks are espionage-related. The group used a PowerShell-based first-stage backdoor called "POWERSTATS", which evolved slowly over time, and targeted countries including the USA and India, as well as those within the Middle East like Saudi Arabia, Iraq, Israel, and the United Arab Emirates. The group also used GitHub to host its backdoor.

MuddyWater group continues its cyber-espionage operations, leveraging obfuscated PowerShell scripts within Word documents to infiltrate systems. These documents masquerade as legitimate entities, such as the Federal Investigation Agency of Pakistan. The tactics include sophisticated obfuscation techniques and a careful reconnaissance strategy, primarily focusing on the Middle East and Pakistan. The campaign deploys a variety of tools, including C&C servers and proxies, with a detailed focus on avoiding detection by analysis tools.