Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date15/10/2020

Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics

  • Actor Motivations: Financial Gain,Sabotage
  • Attack Vectors: Ransomware,Wiper,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

Reference and Credit: ClearSky - October 2020

Operation Quicksand

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Medium
RegionIsrael
Verified

Extracted IOCs

  • webhook[.]site
  • webmail.lax.co[.]il
  • 01160fd8afe8f133b7a95755ead39679
  • 1d6f241798818e6fdc03015d01e1e680
  • 2534e46be860170f2237c65749af4435
  • 2c3d8366b6ed1aa5f1710d88b3adb77d
  • 2e6169253a87a9d67037b1a238d46365
  • 2e7b4ae4baa704588248b425b8e027bf
  • 4d161d67c8cb5c44902b7ebaef131aaf
  • 5c000ef1e5c6f50cc32c6d70837bd1b2
  • b07d9eca8af870722939fd87e928e603
  • bbe9bb47f8dd8ba97250bf7f13187ab6
  • c938b18056ec17ac00bf0083844eafd8
  • dbadc2caee829baf5531703f6741a9d3
  • ee2d1e570be5d53a5c970339991e2fd7
  • fbe65cd962fc97192d95c40402eee594
  • 4a898c1a27385e7efd0a5eda8fb15ce81cbe2258b0f44a238a1f6a77fe169099
  • aa927a2e427f203c15c71678966890c8f55403a7c97bd6db9f531ed43e47bb18
  • f8bb7f04b367a2e261e2bde3eefd66ad858493f37d0c11c904341b52748f8a43
  • 185[.]117.75.101
  • 185[.]183.96.28
  • 185[.]183.96.61
  • 185[.]183.98.242
  • 185[.]244.149.215
  • 185[.]82.202.66
  • 185[.]82.202.70
  • 212[.]143.154.158
  • 46[.]4.105.116
  • hxxp://185[.]183.96.61:80/downloadc[.]php?key=
  • hxxp://185[.]183.98.242/default[.]php
  • hxxps://webhook[.]site/7c1564f7-4e3c-4082-b1f8-3b52da3d9941
  • hxxps://webhook[.]site/861f0c6f-238a-4878-8e44-0ca078ad9b2c
  • hxxps://webhook[.]site/f4c2dba3-bdba-44a3-b8b8-f292b6fb8a7b
  • hxxps://webmail.lax.co[.]il/owa/auth/current/script/jquery-3.5.1.min.js
download

Tip: 34 related IOCs (9 IP, 2 domain, 6 URL, 0 email, 17 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (five cases): 1d6f241798818e6fdc03015d01e1e680, 2c3d8366b6ed1aa5f1710d88b3adb77d, b07d9eca8af870722939fd87e928e603, ee2d1e570be5d53a5c970339991e2fd7, fbe65cd962fc97192d95c40402eee594

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights