Continuing MuddyWater Phishing Campaign Targets Middle East and Pakistan
- Actor Motivations: Espionage
- Attack Vectors: Malicious Macro,Malware
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
MuddyWater group continues its cyber-espionage operations, leveraging obfuscated PowerShell scripts within Word documents to infiltrate systems. These documents masquerade as legitimate entities, such as the Federal Investigation Agency of Pakistan. The tactics include sophisticated obfuscation techniques and a careful reconnaissance strategy, primarily focusing on the Middle East and Pakistan. The campaign deploys a variety of tools, including C&C servers and proxies, with a detailed focus on avoiding detection by analysis tools.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Pakistan Federal Investigation Agency Federal Investigation Agency is the premier agency of Pakistan at national level to investigate federal crimes. Pakistan Federal Investigation Agency has been targeted by MuddyWater with abusive purposes. | Verified |
| Sector | Government Agencies and Services | Medium |
| Region | Pakistan | High |
| Region | Middle East Countries | High |
Extracted IOCs
- bangortalk.org[.]uk
- cbpexbrasilia.com[.]br
- diplomat.com[.]sa
- feribschat[.]eu
- magical-energy[.]com
- mainandstrand[.]com
- mhtevents[.]com
- riyadhfoods[.]com
- skepticalscience[.]com
- suliparwarda[.]com
- tmclub[.]eu
- wallpapercase[.]com
- whiver[.]in
- azmwn.suliparwarda[.]com
- best2.thebestconference[.]org
- coa.inducks[.]org
- school.suliparwarda[.]com
- watyanagr.nfe.go[.]th
- watyan.nfe.go[.]th
- www.akhtaredanesh[.]com
- www.arcadecreative[.]com
- www.armaholic[.]com
- www.asan-max[.]com
- www.autotrans[.]hr
- www.dafc.co[.]uk
- www.eapa[.]org
- www.elev8tor[.]com
- www.jdarchs[.]com
- www.kunkrooann[.]com
- www.mackellarscreenworks[.]com
- www.mitegen[.]com
- www.nigelwhitfield[.]com
- www.pomegranates[.]org
- www.ridefox[.]com
- www.shapingtomorrowsworld[.]org
- www.spearhead-training[.]com
- www.vanessajackson.co[.]uk
- www.yaran[.]co
- www.ztm.waw[.]pl
- 135238bc43fddd0867676aef1e9aaf83
- a86249a392b394c803ddbd5bbaa0b4bb
- f78bd1a0251e4bef7e86eb4cb14c204d
- 16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75
- 335b05f50f859c84e0de73c78ca5b2c0f35f808500eaff521a348e451b7c6702
- 795f2aa25f19670334c2d9ead72ab210849ea6242873760a3beb561c044eccec
- cda1f9b6066f940a0f0e49e76cd2ea90081360348f7005a98d37574233e78d15
- d2fdd7af2eabd248fd9a1dc876aa8fb73e7c0cc4a9fda77cd5eb5f7a2784032f
- d42aa9cc8812beb0c8d0344195319884a794ab354d374fcddb81ec58d9d32e3c
- dffa36bcca4e1e29533d7f10ab41130808d518353ce3368c96fede7b75059030
- e0c7f7a71a58bf51dc04c58212fc320e1a7f2eb74700ed1a928f5960e83683e7
- 106[.]187.38.21
- 148[.]251.204.131
- 148[.]251.204.131:8060/
- hxxp://106[.]187.38.21/short_qr/work[.]php?c=
- hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=
- hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=
- hxxp://bangortalk.org[.]uk/speakers.php?c=
- hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=
- hxxp://cbpexbrasilia.com[.]br/wp-content/plugins/wordpress-seo/power.php?c=
- hxxp://cbpexbrasilia.com[.]br/wp-includes/widgets/work.php?c=
- hxxp://diplomat.com[.]sa/wp-content/plugins/wordpress-importer/cache.php?c=
- hxxp://feribschat[.]eu/logs.php?c=
- hxxp://magical-energy[.]com/css.aspx?c=
- hxxp://magical-energy[.]com/css/css.aspx?c=
- hxxp://mainandstrand[.]com/work.php?c=
- hxxp://riyadhfoods[.]com/css/edu.aspx?c=
- hxxp://riyadhfoods[.]com/jquery-ui/js/jquery.aspx?c=
- hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=
- hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=
- hxxps://coa.inducks[.]org/publication.php?c=
- hxxps://mhtevents[.]com/account.php?c=
- hxxps://skepticalscience[.]com/graphics.php?c=
- hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=
- hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=
- hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=
- hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=
- hxxps://www.spearhead-training[.]com//html/power.php?c=
- hxxps://www.spearhead-training[.]com/work.php?c=
- hxxp://tmclub[.]eu/clubdata.php?c=
- hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=
- hxxp://watyan.nfe.go[.]th/e-office/lib/work.php?c=
- hxxp://whiver[.]in/power.php?c=
- hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=
- hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=
- hxxp://www.arcadecreative[.]com/work.php?c=
- hxxp://www.armaholic[.]com/list.php?c=
- hxxp://www.asan-max[.]com/files/articles/css.aspx?c=
- hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=
- hxxp://www.autotrans[.]hr/index.php?c=
- hxxp://www.dafc.co[.]uk/news.php?c=
- hxxp://www.eapa[.]org/asphalt.php?c=
- hxxp://www.elev8tor[.]com/show-work.php?c=
- hxxp://www.jdarchs[.]com/work.php?c=
- hxxp://www.kunkrooann[.]com/inc/work.php?c=
- hxxp://www.mackellarscreenworks[.]com/work.php?c=
- hxxp://www.mitegen[.]com/mic_catalog.php?c=
- hxxp://www.nigelwhitfield[.]com/v2/work.php?c=
- hxxp://www.pomegranates[.]org/index.php?c=
- hxxp://www.ridefox[.]com/content.php?c=
- hxxp://www.shapingtomorrowsworld[.]org/category.php?c=
- hxxp://www.vanessajackson.co[.]uk/work.php?c=
- hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=
- hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=
- hxxp://www.ztm.waw[.]pl/pop.php?c=
Tip: 104 related IOCs (2 IP, 39 domain, 52 URL, 0 email, 11 file hash) to this threat have been found.
Overlaps
Source: Picussecurity - March 2022
Detection (two cases): 135238bc43fddd0867676aef1e9aaf83, a86249a392b394c803ddbd5bbaa0b4bb
Source: Reaqta - November 2017
Detection (82 cases): 106[.]187.38.21, 148[.]251.204.131, hxxp://106[.]187.38.21/short_qr/work[.]php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxp://bangortalk.org[.]uk/speakers.php?c=, hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=, hxxp://feribschat[.]eu/logs.php?c=, hxxp://magical-energy[.]com/css.aspx?c=, hxxp://magical-energy[.]com/css/css.aspx?c=, hxxp://mainandstrand[.]com/work.php?c=, hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=, hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=, hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=, hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=, hxxp://tmclub[.]eu/clubdata.php?c=, hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=, hxxp://whiver[.]in/power.php?c=, hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=, hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=, hxxp://www.arcadecreative[.]com/work.php?c=, hxxp://www.armaholic[.]com/list.php?c=, hxxp://www.asan-max[.]com/files/articles/css.aspx?c=, hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=, hxxp://www.autotrans[.]hr/index.php?c=, hxxp://www.dafc.co[.]uk/news.php?c=, hxxp://www.eapa[.]org/asphalt.php?c=, hxxp://www.elev8tor[.]com/show-work.php?c=, hxxp://www.jdarchs[.]com/work.php?c=, hxxp://www.kunkrooann[.]com/inc/work.php?c=, hxxp://www.mackellarscreenworks[.]com/work.php?c=, hxxp://www.mitegen[.]com/mic_catalog.php?c=, hxxp://www.nigelwhitfield[.]com/v2/work.php?c=, hxxp://www.pomegranates[.]org/index.php?c=, hxxp://www.ridefox[.]com/content.php?c=, hxxp://www.shapingtomorrowsworld[.]org/category.php?c=, hxxp://www.vanessajackson.co[.]uk/work.php?c=, hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=, hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=, hxxp://www.ztm.waw[.]pl/pop.php?c=, hxxps://coa.inducks[.]org/publication.php?c=, hxxps://mhtevents[.]com/account.php?c=, hxxps://skepticalscience[.]com/graphics.php?c=, hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=, hxxps://www.spearhead-training[.]com//html/power.php?c=, hxxps://www.spearhead-training[.]com/work.php?c=, azmwn.suliparwarda[.]com, bangortalk.org[.]uk, best2.thebestconference[.]org, coa.inducks[.]org, feribschat[.]eu, magical-energy[.]com, mainandstrand[.]com, mhtevents[.]com, school.suliparwarda[.]com, skepticalscience[.]com, suliparwarda[.]com, tmclub[.]eu, wallpapercase[.]com, watyanagr.nfe.go[.]th, whiver[.]in, www.akhtaredanesh[.]com, www.arcadecreative[.]com, www.armaholic[.]com, www.asan-max[.]com, www.autotrans[.]hr, www.dafc.co[.]uk, www.eapa[.]org, www.elev8tor[.]com, www.jdarchs[.]com, www.kunkrooann[.]com, www.mackellarscreenworks[.]com, www.mitegen[.]com, www.nigelwhitfield[.]com, www.pomegranates[.]org, www.ridefox[.]com, www.shapingtomorrowsworld[.]org, www.spearhead-training[.]com, www.vanessajackson.co[.]uk, www.yaran[.]co, www.ztm.waw[.]pl
Source: Unit 42 - Palo Alto Networks - November 2017
Detection (90 cases): 106[.]187.38.21, 148[.]251.204.131, hxxp://106[.]187.38.21/short_qr/work[.]php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxp://bangortalk.org[.]uk/speakers.php?c=, hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=, hxxp://cbpexbrasilia.com[.]br/wp-content/plugins/wordpress-seo/power.php?c=, hxxp://cbpexbrasilia.com[.]br/wp-includes/widgets/work.php?c=, hxxp://diplomat.com[.]sa/wp-content/plugins/wordpress-importer/cache.php?c=, hxxp://feribschat[.]eu/logs.php?c=, hxxp://magical-energy[.]com/css.aspx?c=, hxxp://magical-energy[.]com/css/css.aspx?c=, hxxp://mainandstrand[.]com/work.php?c=, hxxp://riyadhfoods[.]com/css/edu.aspx?c=, hxxp://riyadhfoods[.]com/jquery-ui/js/jquery.aspx?c=, hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=, hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=, hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=, hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=, hxxp://tmclub[.]eu/clubdata.php?c=, hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=, hxxp://whiver[.]in/power.php?c=, hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=, hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=, hxxp://www.arcadecreative[.]com/work.php?c=, hxxp://www.armaholic[.]com/list.php?c=, hxxp://www.asan-max[.]com/files/articles/css.aspx?c=, hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=, hxxp://www.autotrans[.]hr/index.php?c=, hxxp://www.dafc.co[.]uk/news.php?c=, hxxp://www.eapa[.]org/asphalt.php?c=, hxxp://www.elev8tor[.]com/show-work.php?c=, hxxp://www.jdarchs[.]com/work.php?c=, hxxp://www.kunkrooann[.]com/inc/work.php?c=, hxxp://www.mackellarscreenworks[.]com/work.php?c=, hxxp://www.mitegen[.]com/mic_catalog.php?c=, hxxp://www.nigelwhitfield[.]com/v2/work.php?c=, hxxp://www.pomegranates[.]org/index.php?c=, hxxp://www.ridefox[.]com/content.php?c=, hxxp://www.shapingtomorrowsworld[.]org/category.php?c=, hxxp://www.vanessajackson.co[.]uk/work.php?c=, hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=, hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=, hxxp://www.ztm.waw[.]pl/pop.php?c=, hxxps://coa.inducks[.]org/publication.php?c=, hxxps://mhtevents[.]com/account.php?c=, hxxps://skepticalscience[.]com/graphics.php?c=, hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=, hxxps://www.spearhead-training[.]com//html/power.php?c=, hxxps://www.spearhead-training[.]com/work.php?c=, azmwn.suliparwarda[.]com, bangortalk.org[.]uk, best2.thebestconference[.]org, cbpexbrasilia.com[.]br, coa.inducks[.]org, diplomat.com[.]sa, feribschat[.]eu, magical-energy[.]com, mainandstrand[.]com, mhtevents[.]com, riyadhfoods[.]com, school.suliparwarda[.]com, skepticalscience[.]com, suliparwarda[.]com, tmclub[.]eu, wallpapercase[.]com, watyanagr.nfe.go[.]th, whiver[.]in, www.akhtaredanesh[.]com, www.arcadecreative[.]com, www.armaholic[.]com, www.asan-max[.]com, www.autotrans[.]hr, www.dafc.co[.]uk, www.eapa[.]org, www.elev8tor[.]com, www.jdarchs[.]com, www.kunkrooann[.]com, www.mackellarscreenworks[.]com, www.mitegen[.]com, www.nigelwhitfield[.]com, www.pomegranates[.]org, www.ridefox[.]com, www.shapingtomorrowsworld[.]org, www.spearhead-training[.]com, www.vanessajackson.co[.]uk, www.yaran[.]co, www.ztm.waw[.]pl
Source: Security 0wnage - October 2017
Detection (one case): 148[.]251.204.131
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.