Threats Feed|MuddyWater|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date06/06/2019

MuddyWater’s Advanced Tactics Exploit CVE-2017-0199 in Global Campaigns

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Malicious Macro
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

Reference and Credit: ClearSky - June 2019

Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorMilitary
Verified
SectorTelecommunication
Verified
RegionChina
High
RegionCyprus
Verified
RegionIndia
Verified
RegionIraq
Verified
RegionPakistan
Verified
RegionTajikistan
Verified
RegionUnited Arab Emirates
Verified

Exploited Vulnerabilities

NIST NVD: CVE-2017-0199

Extracted IOCs

  • 592f0d9d7185eadab0509fdafdc305ab
  • 65978dd3d6b3a518f465676aa6bd876e
  • 6cb076f1f42573c5c43083a89bcfe442
  • bb6fda2cdc852112544d2598a784d04f
  • beb6a4354549ae4f5579f25865ea8967
  • 4fe389bc1ea85896b4ebb6fe26aa40a6e3f8e9ca
  • 8d1464e0cac7ea8f37e83fd142212c95db20fe77
  • e2867e2255cad213fcc5752a7062882e92870c57
  • 0a9d295016417b00457d4a031b5c52eea41bcde3465ac517767d8795a6a213eb
  • 10157ab25bab7891068538111333a2101b987e930d5deb7bb60ed63cf7ca197d
  • 1dae45ea1f644c0a8e10c962d75fca1cedcfd39a88acef63869b7a5990c1c60b
  • 200c3d027b2d348b0633f8debbbab9f3efc465617727df9e3fdfa6ceac7d191b
  • 20bf83bf516b12d991d38fdc014add8ad5db03907a55303f02d913db261393a9
  • 951585840a07a6496b0270f1028281fcb65d5b9e9a6ed613ca8809b258ed729f
  • 98f0f2c42f703bfbb96de87367866c3cced76d5a8812c4cbc18a2be3da382c95
  • d5b7a5ae4156676b37543a3183df497367429ae2d01ef33ebc357c4bdd9864c3
  • d77d16c310cce09b872c91ca223b106f4b56572242ff5c4e756572070fac210f
  • f5ef4a45e19da1b94c684a6c6d51b86aec622562c45d67cb5aab554f21eb9061
  • 185[.]185.25.175
  • 185[.]244.14.218
  • 66[.]219.22.235
  • 83[.]171.238.62
  • hxxp://185[.]185.25.175/ref45[.]php
  • hxxp://185[.]185.25.175/sdownloads/
  • hxxp://185[.]185.25.175/upl[.]php
download

Tip: 25 related IOCs (4 IP, 0 domain, 3 URL, 0 email, 18 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater's Sophisticated Cyber Operations Target Geopolitical Foes in Asia and the Middle East

Source: Trend Micro - June 2019

Detection (nine cases): 185[.]185.25.175, hxxp://185[.]185.25.175/ref45[.]php, 1dae45ea1f644c0a8e10c962d75fca1cedcfd39a88acef63869b7a5990c1c60b, 200c3d027b2d348b0633f8debbbab9f3efc465617727df9e3fdfa6ceac7d191b, 20bf83bf516b12d991d38fdc014add8ad5db03907a55303f02d913db261393a9, 98f0f2c42f703bfbb96de87367866c3cced76d5a8812c4cbc18a2be3da382c95, d5b7a5ae4156676b37543a3183df497367429ae2d01ef33ebc357c4bdd9864c3, d77d16c310cce09b872c91ca223b106f4b56572242ff5c4e756572070fac210f, f5ef4a45e19da1b94c684a6c6d51b86aec622562c45d67cb5aab554f21eb9061

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights