Threats Feed|MuddyWater|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date21/06/2022

MuddyWater's Malicious Macros: A Long-Term Threat to Middle Eastern Nations

  • Actor Motivations: Espionage
  • Attack Vectors: Malicious Macro,RAT,Spear Phishing
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

The MuddyWater threat group has been conducting a long-term infection campaign targeting Middle East countries since the last quarter of 2020. The campaign utilizes a malicious Word document containing VBA macros wrapped in a compressed file to compromise victims' systems. The VBA macros drop a concise VBS script, which functions as a small RAT, allowing the execution of commands via cmd and communication with a C2 server using HTTP GET and POST requests. The targeted countries include Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, and others in the Middle East region.

Reference and Credit: Lab52 - June 2022

MuddyWater’s “light” first-stager targeting Middle East

Detected Targets

TypeDescriptionConfidence
RegionArgentina
High
RegionArmenia
High
RegionBahrain
High
RegionIsrael
High
RegionKazakhstan
High
RegionPakistan
High
RegionSouth Africa
High
RegionSudan
High
RegionSyria
High
RegionTurkey
High

Extracted IOCs

  • 0b4d660335b55d96ddf4c76664341ed52519639161a0a0a1aa0ae82951feba01
  • 1d133cc388415592e2e2246e6fb1903690068577fc82e2ae682ba0a661cea0dd
  • 2245fc9d9aea07b0ffdac792d4851ceed851a3bf1d528384e94306e59e3abd16
  • 2f2492b7bb55f7a12f7530c9973c9b81fdd5e24001e4a21528ff1d5b47e3446e
  • 4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c
  • 84d523833db6cc74a079b12312da775d4281bf1034b2af0203c9d14c098e6f29
  • ae6dba7da3c8b2787b274c660e0b522ce8ebda89b1864d8a2ac2c9bb2bd4afa6
  • cab75e26febd111dd5483666c215bb6b56059f806f83384f864c51ceddd0b1cf
  • dba90bd5fdf0321a28f21fccb3a77ee1ed5d73e863e4520ce8eb8fca670189c3
  • ea24c5a8b976919d4c8c4779dc0b7ef887373f126c4732edf9023b827b4e4dc4
  • ed4b523a0eecc5de172a97eb8acb357bc1f4807efec761ec2764f20ef028cc63
  • faa6258d7bd355329a9ad69e15b2857d24f9ac11a9782d1a215149938460ac4b
  • fbd2a9f400740610febd5a1ae7448536dd95f37b85dfd2ca746e11a51086bd4b
  • 107[.]174.68.60
  • 185[.]117.73.52
  • 192[.]227.147.152
download

Tip: 16 related IOCs (3 IP, 0 domain, 0 URL, 0 email, 13 file hash) to this threat have been found.

About Affiliation
MuddyWater
View MuddyWater's Insights