MuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors
- Actor Motivations: Espionage
- Attack Vectors: Backdoor,Malicious Macro,Malware
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.
Detected Targets
Type | Description | Confidence |
---|---|---|
Case | Azerbaijan Ministry of Internal Affairs The Ministry of Internal Affairs of Azerbaijan is an Azerbaijani government ministry for internal affairs, which is responsible for keeping the order, security and safety of population, officials, buildings and structures in the country. Azerbaijan Ministry of Internal Affairs has been targeted by MuddyWater with abusive purposes. | Verified |
Case | DAMAMAX DAMAMAX was established in 2008 as a telecommunications provider to capitalize on increased demand for IP bandwidth capacity in Jordan. DAMAMAX has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Election Commission of Pakistan The Election Commission of Pakistan is an independent, autonomous, permanent and constitutionally established federal body responsible for organizing and conducting elections to the national parliament, provincial legislatures, local governments, and the office of President of Pakistan, as well as the delimitation of constituencies and preparation of electoral rolls. Election Commission of Pakistan has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Gilgit Baltistan Excise and Taxation Department Gilgit Baltistan Excise and Taxation was established in 2009 as a provincial department in Pakistan. Its main objective is to collect provincial taxes levied by the Legislative Assembly Gilgit Baltistan and provides web-based digitized data over the internet. Gilgit Baltistan Excise and Taxation Department has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Iraq Council of Ministers The Council of Ministers is the executive branch of the government of Iraq. The Council of Representatives of Iraq elects a President of the Republic who appoints the Prime Minister who in turn appoints the Council of Ministers, all of whom must be approved by the Assembly. Iraq Council of Ministers has been targeted by MuddyWater with abusive purposes. | Verified |
Case | King Saud University King Saud University is a public university in Riyadh, Saudi Arabia. Established in 1957 by King Saud to address the country's skilled worker shortage, it is the first university in Saudi Arabia. King Saud University has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Ministry of Foreign Affairs of the Republic of Iraq The Ministry of Foreign Affairs of Iraq is the governmental body in Iraq responsible for the country's foreign relations and diplomacy. Ministry of Foreign Affairs of the Republic of Iraq has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Ministry of Justice of Jordan The Ministry of Justice of the Hashemite Kingdom of Jordan is the ministry in the Government of Jordan responsible for Justice. Ministry of Justice of Jordan has been targeted by MuddyWater with abusive purposes. | Verified |
Case | National Assembly of Pakistan The National Assembly of Pakistan is the lower legislative house of the bicameral Parliament of Pakistan, which also comprises the Senate of Pakistan. The National Assembly and the Senate both convene at Parliament House in Islamabad, the capital of Pakistan. National Assembly of Pakistan has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Office of the President of Islamic Republic of Afghanistan Office of the President of Islamic Republic of Afghanistan has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Pakistan Punjab Police The Punjab Police is a law enforcement agency in the province of Punjab, Pakistan. Under the command of its Inspector General, it administers all criminal cases under the Police Acts of 1861 and 2002. The force was introduced in its modern form under British rule, and a colonial influence continues. Pakistan Punjab Police has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Royal Saudi Air Force The Royal Saudi Air Force is the aviation branch of the Saudi Arabian Armed Forces. The Royal Saudi Air Force currently has approximately 1,106 aircraft, 40,000 active personnel, 23,000 recruits, 9 wings, +99 squadrons, and a Special Forces unit dedicated to combat search and rescue. Royal Saudi Air Force has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Turkey Directorate General of Coastal Safety The Directorate General of Coastal Safety has been established by the Turkish Republic Council Of Ministers’ decision on 12 May 1997 as a General Directorate and State owned Organization. The mission of the foundation is to assist and improve the safety of navigation in Turkish Waters. Turkey Directorate General of Coastal Safety has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Turkey General Directorate of Security The General Directorate of Security or Turkish Police Service is the national civilian police force responsible for law enforcement of the Republic of Turkey, which is affiliated with the Ministry of Interior. Turkey General Directorate of Security has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Turkey General Directorate of Security The General Directorate of Security or Turkish Police Service is the national civilian police force responsible for law enforcement of the Republic of Turkey, which is affiliated with the Ministry of Interior. Turkey General Directorate of Security has been targeted by MuddyWater with abusive purposes. | Verified |
Case | Turkey Ministry of Interior The Ministry of Interior or Ministry of the Interior or Interior Ministry is a government ministry of the Republic of Turkey, responsible for interior security affairs in Turkey. Turkey Ministry of Interior has been targeted by MuddyWater with abusive purposes. | Verified |
Sector | Government Agencies and Services | Verified |
Sector | Military | Verified |
Sector | Education | Verified |
Sector | Telecommunication | Verified |
Region | Afghanistan | Verified |
Region | Austria | Verified |
Region | Azerbaijan | Verified |
Region | Bahrain | Verified |
Region | Iran | Verified |
Region | Iraq | Verified |
Region | Jordan | Verified |
Region | Mali | Verified |
Region | Pakistan | Verified |
Region | Russia | Verified |
Region | Saudi Arabia | Verified |
Region | Turkey | Verified |
Extracted IOCs
- adibf[.]ae
- benangin[.]com
- ektamservis[.]com
- gtme[.]ae
- hubinasia[.]com
- www.adfg[.]ae
- www.cankayasrc[.]com
- 029cb7e622f4eb0d058d577c9d322e92
- 06178b5181f30ce00cd55e2690f667ac
- 08acd1149b09bf6455c553f512b51085
- 132efd7b3bdfb591c1bf2a4e19c710eb
- 159238b473f80272fdcd0a8ddf336a91
- 16ac1a2c1e1c3b49e1a3a48fb71cc74f
- 1b086ab28e3d6f73c6605f9ae087ad4a
- 23c82e8c028af5c64cbe37314732ec19
- 245fa82c89875b70c2669921d4ba14d3
- 24e1bd221ba3813ed7b6056136237587
- 2b8ab9112e34bb910055d85ec800db3f
- 2e82e242cb0684b98a8f6f2c0e8a12f3
- 345b1ea293764df86506f97ba498cc5e
- 37f7e6e5f073508e1ee552ebea5d200e
- 3bb14adb551663fd2328d59f653ba757
- 3c2a0d6d0ecf06f1be9ad411d06f7ba8
- 47ec75d3290add179ac5218d193bb9a8
- 4c5a5c236c9f4480b3d725f297673fad
- 4f873578956d2790101443f24e4bd4d3
- 5466c8a099d1d30096775b1f4357d3cf
- 59502e209aedf80e170e653306ca1553
- 5a42a712e3b3cfa1db32d9e3d832f8f1
- 5bd61a94e7698574eaf82ef277316463
- 5de97ae178888f2dd222bb8a66060ac2
- 665947cf7037a6772687b69279753cdf
- 7a2ff07283ddc69d9f34cfa0d3c936d4
- 7beb94f602e97785370fec2d059d54a5
- 801f34abbf90ac2b4fb4b6289830cd16
- 864d6321be50f29e7a7a4bfab746245a
- 8a36d91ca331f62642dbcafc2ea1b1ab
- 9486593e4fb5a4d440093d54a3519187
- 94edf251b5fe7cc19488b5f0c3c3e359
- 9c6648cedeb3f5d9f6d104e638bd0c3d
- 9f4044674100a8c28f9ed1b336c337ce
- a9ec30226c83ba6d7abb8d2011cdae14
- aa1e8d0e1c4d4eb9984124df003ea7f2
- aa564e207926d06b8a59ba50ca2c543d
- ab4f947f4649b9ec28d182b02778aa69
- ad92ccf85ec170f340457d33bbb81df5
- b8939fa58fad8aa1ec271f6dae0b7255
- bb476622bcb0c666e12fbe4ccda8bbef
- be62fc5b1576e0a8491519e10bab931d
- befc203d7fa4c91326791a73e6d6b4da
- bf310319d6ef95f69a45fc4f2d237ed4
- c0e35c4523a7931f4c99616d6079fd14
- c375bbf248592cee1a1999227457c300
- c561e81e30316208925bfddb3cf3360a
- c73fc71ee35e99230941f03fc32934d9
- c8b0458c384fd34971875b1c753c9c7c
- cd371d1d3bd7c8e2110587cfa8b7eaea
- ce2df2907ce543438c19cfaf6c14f699
- d15aee026074fbd18f780fb51ec0632a
- d632c8444aab1b43a663401e80c0bac4
- d6acee43d61cbd4bcd7a5bdf4ed9b343
- e3e25957b738968befcf2333aa637d97
- e5683fb480353c0dec333a7573710748
- e7a6c57566d9523daa57fe16f52e377e
- eb69fb45feb97af81c2f306564acc2da
- f00fd318bf58586c29ab970132d1fd2a
- f2b5373f32a4b9b3d34701ff973ba69c
- f84914c30ae4e6b9b1f23d5c01e001ed
- faa4469d5cd90623312c86d651f2d930
- ffb8ea0347a3af3dd2ab1b4e5a1be18a
- 104[.]237.233.40
- 104[.]237.233.60
- 104[.]237.255.212
- 5[.]9.0.155
- hxxp://adibf[.]ae/wp-includes/js/main.php
- hxxp://ektamservis[.]com/includes/main.php
- hxxp://gtme[.]ae/font-awesome/css/main.php
- hxxp://hubinasia[.]com/wp-includes/widgets/main.php
- hxxps://benangin[.]com/wp-includes/widgets/main.php
- hxxps://www.adfg[.]ae/wp-includes/widgets/main.php
- hxxp://www.cankayasrc[.]com/style/js/main.php
Tip: 81 related IOCs (4 IP, 7 domain, 7 URL, 0 email, 63 file hash) to this threat have been found.
Overlaps
Source: Picussecurity - March 2022
Detection (12 cases): 24e1bd221ba3813ed7b6056136237587, 37f7e6e5f073508e1ee552ebea5d200e, 5bd61a94e7698574eaf82ef277316463, 665947cf7037a6772687b69279753cdf, 7a2ff07283ddc69d9f34cfa0d3c936d4, 801f34abbf90ac2b4fb4b6289830cd16, 9486593e4fb5a4d440093d54a3519187, b8939fa58fad8aa1ec271f6dae0b7255, bf310319d6ef95f69a45fc4f2d237ed4, d15aee026074fbd18f780fb51ec0632a, d632c8444aab1b43a663401e80c0bac4, ffb8ea0347a3af3dd2ab1b4e5a1be18a
Source: Trend Micro - June 2019
Detection (two cases): 104[.]237.233.40, 104[.]237.255.212
Source: Kaspersky - April 2019
Detection (one case): 104[.]237.233.40
Source: Symantec - December 2018
Detection (one case): 104[.]237.233.60
Source: NetWitness - October 2018
Detection (one case): 16ac1a2c1e1c3b49e1a3a48fb71cc74f
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.