Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date04/10/2017

Unveiling MuddyWater Phishing Campaign: Middle Eastern Governments in the Crosshairs

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro,Malware
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Entities in the Middle East, including Saudi Arabia and Iraq, were targeted by an early MuddyWater phishing campaign predominantly aimed at the government sector. Spear-phishing emails carrying malicious attachments were a key tactic, with PowerShell scripts being sourced from Pastebin and Filebin. To avoid detection, the attackers concealed their scripts. Upon examining the macro code and command and control scripts, parallels were found with a campaign previously discussed by Morphisec.

Reference and Credit: Security 0wnage - October 2017

Continued Activity targeting the Middle East

Detected Targets

TypeDescriptionConfidence
CaseIraqi National Intelligence Service
The Iraqi National Intelligence Service is an intelligence agency of the Iraqi government that was created in April 2004 on the transitional authority of the Coalition Provisional Authority, following the American invasion of Iraq a year prior. Iraqi National Intelligence Service has been targeted by MuddyWater with abusive purposes.
Verified
CaseSaudi Government Services Bus
The Government Service Bus (GSB) of Saudi Arabia is the central enabling set of components of the e- Government infrastructure that is based on Service Oriented Architecture Saudi Government Services Bus has been targeted by MuddyWater with abusive purposes.
Verified
SectorGovernment Agencies and Services
Verified
RegionIraq
Verified
RegionSaudi Arabia
Verified
RegionMiddle East Countries
High

Extracted IOCs

  • 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce
  • 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1
  • 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433
  • 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d
  • 58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482
  • 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f
  • 5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae
  • 605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4
  • 76eb64994f9db257c4f7dbf406b542e3c9a7362f905b5ce4828aeb3db4743afa
  • 81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3
  • 90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024
  • 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028
  • 96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd
  • 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc
  • a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5
  • c8b00765834342d3a9ef510f4b5bce91b7625de477b492f23c142d49f2f3bd50
  • ddae32a6234a58eb80837dcdea318cc6c16a3b067f74e305c0c647190b90be10
  • e7c1e310868abbab4a141e1e40b19d641adeb68dda2f71a1bd55dabd77667bda
  • ffbe7df94929b03408791eb321a845fff9289c7be950aaec96267c79d5d26c5f
  • 138[.]201.75.227
  • 144[.]76.109.88
  • 148[.]251.204.131
  • hxxp://144[.]76.109.88/al/ag[.]txt
download

Tip: 23 related IOCs (3 IP, 0 domain, 1 URL, 0 email, 19 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (seven cases): 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433, 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc, a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5

MuddyWaterMuddyWater APT Focuses on Espionage in the Middle East: A Technical Analysis

Source: Reaqta - November 2017

Detection (five cases): 144[.]76.109.88, 148[.]251.204.131, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028

MuddyWaterMuddyWater Targets Middle East Using POWERSTATS Backdoor

Source: Unit 42 - Palo Alto Networks - November 2017

Detection (17 cases): 138[.]201.75.227, 144[.]76.109.88, 148[.]251.204.131, 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433, 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d, 58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae, 605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4, 81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3, 90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024, 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028, 96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd, 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc, a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5

MuddyWaterContinuing MuddyWater Phishing Campaign Targets Middle East and Pakistan

Source: Security 0wnage - November 2017

Detection (one case): 148[.]251.204.131

UnknownSaudi Arabian Government Hit by Stealthy Macro Malware

Source: Malwarebytes - September 2017

Detection (one case): 144[.]76.109.88

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights