Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date28/11/2018

MuddyWater Expands Cyberattacks with Two-Stage Spear-phishing Campaign Targeting Lebanon and Oman

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

Reference and Credit: ClearSky - November 2018

MuddyWater Operations in Lebanon and Oman

Detected Targets

TypeDescriptionConfidence
CaseLebanon Ministry of Justice
Lebanon Ministry of Justice has been targeted by MuddyWater with abusive purposes.
High
CaseSaudi Ministry of Justice
Saudi Ministry of Justice has been targeted by MuddyWater with abusive purposes.
High
RegionLebanon
High
RegionOman
High

Extracted IOCs

  • 3cbc[.]net
  • amorenvena[.]com
  • amphibiblechurch[.]com
  • amphira[.]com
  • andreabelfi[.]com
  • andreasiegl[.]com
  • andresocana[.]com
  • ohe[.]ie
  • pazazta[.]com
  • 294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d
  • 65bd49d9f6d9b92478e3653362c0031919607302db6cfb3a7c1994d20be18bcc
  • a6ba3480f3c7055dce2a7a43c3f70d3d6b266290f917be150a0e17b6ac4a3724
  • ac360ec9dbf84ab7e26effcb1d28ca4d0ac4381c9376ac1eddee7a8f7f26ccb0
  • b6c483536379840e89444523d27ac7828b3eb50342b992d2c8f608450cd7bb53
  • e5c56c5b9620fb542eab82bdf75237d179bc996584b5c5f7a1c34ef5ae521c7d
  • hxxp://3cbc[.]net/dropbox/icon.icon
  • hxxp://amorenvena[.]com/main.php
  • hxxp://amphibiblechurch[.]com/main.php
  • hxxp://amphira[.]com/main.php
  • hxxp://andreabelfi[.]com/main.php
  • hxxp://andreasiegl[.]com/main.php
  • hxxp://andresocana[.]com/main.php
  • hxxp://ohe[.]ie/cli/icon.png
  • hxxp://ohe[.]ie/cp/icon.png
  • hxxp://pazazta[.]com/app/icon.png
download

Tip: 25 related IOCs (0 IP, 9 domain, 10 URL, 0 email, 6 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (four cases): 294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d, 65bd49d9f6d9b92478e3653362c0031919607302db6cfb3a7c1994d20be18bcc, b6c483536379840e89444523d27ac7828b3eb50342b992d2c8f608450cd7bb53, e5c56c5b9620fb542eab82bdf75237d179bc996584b5c5f7a1c34ef5ae521c7d

MuddyWaterSpear-Phishing and POWERSTAT: Dissecting MuddyWater's Latest Middle East Attacks

Source: Yoroi-Cybaze Zlab - December 2018

Detection (five cases): hxxp://pazazta[.]com/app/icon.png, 294a907c27d622380727496cd7c53bf908af7a88657302ebd0a9ecdd30d2ec9d, amorenvena[.]com, amphira[.]com, pazazta[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights