MuddyWater's Strategic Cyber Campaigns Across Turkey, Armenia, and Pakistan
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Downloader,Dropper,Malicious Macro,RAT,Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The Iranian-linked conglomerate MuddyWater, utilizing subgroups focused on regional targets, has launched sophisticated cyberattacks against Turkey, Armenia, and Pakistan through various campaigns. Employing tactics such as spearphishing with malicious attachments, PowerShell-based downloaders, and maldoc-based infection vectors, these campaigns primarily leveraged obfuscated files and malicious macros to establish persistence, execute arbitrary commands, and gather system information. Notably, the attackers used a token-tracking system to monitor infection success rates and deployed the SloughRAT for command and control, alongside VBS and JS-based downloaders for further infiltration.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Telecommunication | Verified |
| Sector | University | Verified |
| Region | Armenia | Verified |
| Region | Pakistan | Verified |
| Region | Turkey | Verified |
| Region | Middle East Countries | Verified |
Extracted IOCs
- advanceorthocenter[.]com
- lalindustries[.]com
- 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
- 202bf7a4317326b8d0b39f1fa19304c487128c8bd6e52893a6f06f9640e138e6
- 3fe9f94c09ee450ab24470a7bcd3d6194d8a375b3383f768662c1d561dab878d
- 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
- 6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4
- 7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7
- a500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1
- c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
- cc67e663f5f6cea8327e1323ecdb922ae8e48154bbf7bd3f9b2ee2374f61c5d6
- cf9b1e0d17199f783ed2b863b0289e8f209600a37724a386b4482c2001146784
- d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
- ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
- ef385ed64f795e106d17c0a53dfb398f774a555a9e287714d327bf3987364c1b
- f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
- fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f
- 178[.]32.30.3
- 185[.]118.164.195
- 185[.]183.97.25
- 5[.]199.133.149
- 88[.]119.170.124
- 95[.]181.161.81
- hxxp://178[.]32.30.3:80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/gcvvpu2kxdqebdpjq33/
- hxxp://178[.]32.30.3:80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/rrvvpu2kxdqebdpjq33/
- hxxp://185[.]118.164.195/c
- hxxp://185[.]183.97.25/protocol/function[.]php
- hxxp://5[.]199.133.149/jznkmustntblvmdvgcwbvqb
- hxxp://5[.]199.133.149/oeajgyxyxclqmfqayv
- hxxp://88[.]119.170.124/ezedcjrfvjriftmldedu
- hxxp://88[.]119.170.124/lcekcnkxkbllmwlpoklgof
- hxxp://95[.]181.161.81:443/main[.]exe
- hxxp://95[.]181.161.81/i100dfknzphd5k
- hxxp://95[.]181.161.81/mm57aayn230
- hxxp://advanceorthocenter[.]com/wp-includes/editor.php
- hxxp://lalindustries[.]com/wp-content/upgrade/editor.php
Tip: 36 related IOCs (6 IP, 2 domain, 13 URL, 0 email, 15 file hash) to this threat have been found.
Overlaps
Source: Deep Instinct - June 2023
Detection (one case): 178[.]32.30.3
Source: Group-IB - April 2023
Detection (one case): 178[.]32.30.3
Source: SOCRadar - January 2023
Detection (four cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
Source: Picussecurity - March 2022
Detection (four cases): 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e, d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0, ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
Source: CISA - February 2022
Detection (eight cases): 5[.]199.133.149, 88[.]119.170.124, 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141, 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c, c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e, d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0, ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418, f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
Source: Mandiant - February 2022
Detection (one case): 5[.]199.133.149
Source: CISA - February 2022
Detection (two cases): 5[.]199.133.149, 88[.]119.170.124
Source: Cisco Talos - January 2022
Detection (three cases): 185[.]118.164.195, 5[.]199.133.149, 88[.]119.170.124
Source: Trakya University - September 2021
Detection (one case): 185[.]118.164.195
Source: Secureworks - February 2020
Detection (two cases): advanceorthocenter[.]com, lalindustries[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Understanding the SloughRAT Campaign
Cisco Talos identified new cyber espionage campaigns targeting Turkey and the Arabian Peninsula. These attacks utilized a newly identified malicious tool called "SloughRAT" (a Windows Script File-based Trojan) and other malicious scripts to gain control over victim computers.
The attacks are attributed to MuddyWater (also known as MERCURY or Static Kitten). This is an Advanced Persistent Threat (APT) group that U.S. Cyber Command has linked to Iran's Ministry of Intelligence and Security (MOIS). The group appears to operate as a "conglomerate" of smaller, independent teams that share tools and tactics.
The primary goals are espionage and intellectual property theft. The group seeks to collect information on adversaries or regional partners to advance Iran's political and national security interests. In some past cases, they have also used ransomware to disrupt operations or destroy evidence.
The campaigns targeted a variety of sectors including national and local governments, ministries, universities, and private companies such as telecommunication providers. Geographically, the recent focus has been on Turkey, the Arabian Peninsula, Pakistan, and Armenia.
The attack usually begins with a phishing email containing a malicious document (like an Excel file). Once opened, the document uses hidden code (macros) to drop malicious scripts (PowerShell, VBS, or WSF) onto the computer. These scripts then contact a server controlled by the attackers to download further malicious tools and receive commands to steal data.
The targeted entities hold proprietary data, diplomatic insights, or infrastructure access that can benefit Iranian state interests. For example, accessing a telecommunications provider could allow for broad monitoring of communications, while targeting universities often yields valuable research and intellectual property.
Organizations should focus on in-depth defense strategies. This includes training employees to recognize phishing attempts, disabling automatic macro execution in Office documents, and ensuring that security teams have a tested incident response plan to quickly react if an intrusion occurs.
This is a highly targeted operation focusing on specific regions (Middle East and Asia) and specific industries (Government, Telecom, Education). However, the group is known to be persistent and adaptable, frequently evolving their methods to target new victims.