Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date12/03/2018

MuddyWater Resurfaces: Cyber Attacks Target Turkey, Pakistan, and Tajikistan

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

A new cyber-espionage campaign, bearing similarities to the earlier MuddyWater attacks, is targeting government organizations and telecommunication companies in Turkey, Pakistan, and Tajikistan. The campaign uses spear-phishing tactics with malicious documents, leveraging social engineering to trick victims into enabling macros and activating payloads. Visual Basic and PowerShell scripts are used, with obfuscation techniques employed to evade detection. The attackers also use persistence methods and engage in system owner/user discovery, collecting system information and taking screenshots before sending this data to a command-and-control server.

Reference and Credit: Trend Micro - March 2018

Potential MuddyWater Campaign Seen in the Middle East

Detected Targets

TypeDescriptionConfidence
CaseTajikistan Ministry of Internal Affairs
The Ministry of Internal Affairs, also called the Ministry of the Interior, abbreviated VKD, is the interior ministry of the government of Tajikistan. It oversees the Presidential National Guard and the Internal Troops. Tajikistan Ministry of Internal Affairs has been targeted by MuddyWater with abusive purposes.
Verified
SectorGovernment Agencies and Services
Verified
SectorTelecommunication
Verified
RegionPakistan
Verified
RegionTajikistan
Verified
RegionTurkey
Verified

Extracted IOCs

  • 0065d592d739ac1dd04d0335151c8855c7fafbf03e86134510ac2fc6766e8d60
  • 0073ce0f4c82fc4d0470868e124aab9ad08852e1712564136186e5019fca0da0
  • 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0
  • 02f58256ff52ed1cdb21064a28d6e5320005f02ef16e8b2fe851438bbc62a102
  • 04d61b1d2c3187280b3c4e93d064a051e9ee0f515f74c6c1c44ba577a7a1c804
  • 070ebcac92fb7619f957bf3f362099574158e5d2d0bc0cf9206a31ba55edd48f
  • 0a9fc303ca03f4d9988a366cbbd96c24857e87374568ec5a4aaa4e55fe2c3c7e
  • 0bc10d5396b3d8ecc54d806c59177b74e167d9f39d8f1b836806127af36a7c4e
  • 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58
  • 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6
  • 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd
  • 1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942
  • 25186621282d1e1bad649b053bdb7b56e48b38189f80db5a69b92301ef9ed613
  • 2727bf97d7e2a5e7e5e41ccbfd7237c59023d70914834400da1d762d96424fde
  • 2791fdc54ee037589f951c718935397e43d5f3d5f8e078e8b1e81165a3aebbaf
  • 288afbe21d69e79a1cff44e2db7f491af10381bcc54436a8f900bcbd2a752a6f
  • 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13
  • 3607432758176a2c41a1971b3c4d14a992a68b231851f8b81c6e816ea9ea29b2
  • 3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115
  • 3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c
  • 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb
  • 4dd5c3ce5ed2145d5afa8dd476a83dfc693e5fc7216c1eabb3fa0eb6b5f8590d
  • 55ae821cf112ff8d6185ce021f777f73d85150c62a835bb1c02fe9e7b3f863bf
  • 59f9e0faa73e93537ae4bd3a8695874ba25b66cefa017537132914c770d0cf70
  • 5e173fbdcd672dade12a87eff0baf79ec4e80533e2b5f6cf1fac19ad847acba0
  • 61d846708f50024e1c65237eb7158beac9b9c5840853b03ef7c73fe5293a9a8d
  • 6228d79f56c574ceada16453404c54dd95641aa78d3faed6874daf485116793b
  • 624762a90b7272e247e5022576b7912d1aa0b32bc13aabc7ee47197e5b87a41b
  • 6421c22d854c199b761436c87cae1eaffba8783a3a40c00d4a0982d7c242ea79
  • 66af894eee6daae66bf0bcb87cb7abe2a0ebb6a59779f652db571e7ee298d751
  • 6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac
  • 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338
  • 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c
  • 92c7fead5ee0f0ecd35fe247dbe85648aada4b96f1e960b527b4929e42d47b01
  • 93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84
  • a53f832edc18de51e0ffaf67047072a6bbd5237defa74f5bf35dfc0df2aeca1b
  • a70aca719b06fc8ef0cd0b0e010c7bc8dc6d632e4f2f874e4c0e553bd8db2df2
  • aa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627
  • af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102
  • c006911be5480f09e0d8560c167561f68681607ca8f7e3c4f5d476dc6673594f
  • c1780f3ad76af703ceddd932b187cf919866a00bb3e2d6f0827b9dae9d8875b6
  • c9d782ffaa98791613fef828e558b296932fa245192bd0eba8f76536860db84e
  • cca8e84901c4184be2849d29c39294fd4b6940f9a6668fdcff9728cd319fff96
  • cee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88
  • d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025
  • dfbd67177af9d35188fc9ff9363c2b9017e9ccfe6719e3d641a56fb5dc0d47f7
  • e57dbce8130e281a73727122d33cbff170a54237cd0016d79b30ace18c94e7d4
  • eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894
  • f05c18c1d4428349137a9df60cdebe8a0f9e6da47b359dc0616ff8d47e46704e
  • fbbda9d8d9bcaaf9a7af84d08af3f5140f5f75778461e48253dc761cc9dc027c
download

Tip: 50 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 50 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (10 cases): 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0, 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd, 2727bf97d7e2a5e7e5e41ccbfd7237c59023d70914834400da1d762d96424fde, 3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c, 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb, 6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac, 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338, af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102, d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025, fbbda9d8d9bcaaf9a7af84d08af3f5140f5f75778461e48253dc761cc9dc027c

MuddyWaterCyber Espionage Evolution: MuddyWater’s Obfuscation Techniques and Anti-Analysis Measures

Source: Security 0wnage - May 2018

Detection (two cases): 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd, 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338

TEMP.ZagrosMulti-Stage Spear Phishing Attack Traced to Iran: TEMP.Zagros in Action

Source: Mandiant - March 2018

Detection (18 cases): 009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0, 153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58, 18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6, 18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd, 1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942, 2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13, 3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115, 3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c, 3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb, 6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac, 76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338, 9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c, 93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84, aa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627, af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102, cee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88, d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025, eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights