Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date14/11/2017

MuddyWater Targets Middle East Using POWERSTATS Backdoor

  • Actor Motivations: Espionage,Extortion
  • Attack Vectors: Backdoor,Malicious Macro,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

The research team at Palo Alto Networks has discovered a group of targeted cyber-attacks against the Middle East region that occurred between February and October 2017, carried out by "MuddyWater". These attacks are espionage-related. The group used a PowerShell-based first-stage backdoor called "POWERSTATS", which evolved slowly over time, and targeted countries including the USA and India, as well as those within the Middle East like Saudi Arabia, Iraq, Israel, and the United Arab Emirates. The group also used GitHub to host its backdoor.

Reference and Credit: Unit 42 - Palo Alto Networks - November 2017

Muddying the Water: Targeted Attacks in the Middle East

Detected Targets

TypeDescriptionConfidence
CaseIraqi Commission of Integrity
The Iraqi Commission of Integrity, formerly known as the Commission on Public Integrity (CPI), is an independent commission within the government of Iraq tasked with preventing and investigating corruption at all levels of the Iraqi government nationwide. Iraqi Commission of Integrity has been targeted by MuddyWater with abusive purposes.
Medium
CaseIraqi National Intelligence Service
The Iraqi National Intelligence Service is an intelligence agency of the Iraqi government that was created in April 2004 on the transitional authority of the Coalition Provisional Authority, following the American invasion of Iraq a year prior. Iraqi National Intelligence Service has been targeted by MuddyWater with abusive purposes.
Medium
CaseIraq Kurdistan Regional Government
The Kurdistan Regional Government (KRG) is the official executive body of the autonomous Kurdistan Region of northern Iraq. Iraq Kurdistan Regional Government has been targeted by MuddyWater with abusive purposes.
Medium
CaseKaspersky Lab
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab has been targeted by MuddyWater with abusive purposes.
Medium
CaseNational Security Agency (NSA)
The National Security Agency is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence. National Security Agency (NSA) has been targeted by MuddyWater with abusive purposes.
Medium
CasePakistan Federal Investigation Agency
Federal Investigation Agency is the premier agency of Pakistan at national level to investigate federal crimes. Pakistan Federal Investigation Agency has been targeted by MuddyWater with abusive purposes.
Medium
CaseTelenor
Telenor ASA is a Norwegian majority state-owned multinational telecommunications company headquartered at Fornebu in Bærum, close to Oslo. It is one of the world's largest mobile telecommunications companies with operations worldwide, but focused in Scandinavia and Asia. Telenor has been targeted by MuddyWater with abusive purposes.
Medium
SectorGovernment Agencies and Services
Medium
RegionGeorgia
Verified
RegionIndia
Verified
RegionIraq
Verified
RegionIsrael
Verified
RegionPakistan
Verified
RegionSaudi Arabia
Verified
RegionTurkey
Verified
RegionUnited Arab Emirates
Verified
RegionUnited States
Verified

Extracted IOCs

  • arbiogaz[.]com
  • bangortalk.org[.]uk
  • camco.com[.]pk
  • cbpexbrasilia.com[.]br
  • cgss.com[.]pk
  • diplomat.com[.]sa
  • feribschat[.]eu
  • ghanaconsulate.com[.]pk
  • magical-energy[.]com
  • mainandstrand[.]com
  • mhtevents[.]com
  • riyadhfoods[.]com
  • skepticalscience[.]com
  • suliparwarda[.]com
  • tmclub[.]eu
  • wallpapercase[.]com
  • whiver[.]in
  • azmwn.suliparwarda[.]com
  • best2.thebestconference[.]org
  • coa.inducks[.]org
  • school.suliparwarda[.]com
  • watyanagr.nfe.go[.]th
  • www.4seasonrentacar[.]com
  • www.akhtaredanesh[.]com
  • www.arcadecreative[.]com
  • www.armaholic[.]com
  • www.asan-max[.]com
  • www.autotrans[.]hr
  • www.dafc.co[.]uk
  • www.eapa[.]org
  • www.elev8tor[.]com
  • www.jdarchs[.]com
  • www.kunkrooann[.]com
  • www.mackellarscreenworks[.]com
  • www.mitegen[.]com
  • www.nigelwhitfield[.]com
  • www.pomegranates[.]org
  • www.ridefox[.]com
  • www.shapingtomorrowsworld[.]org
  • www.spearhead-training[.]com
  • www.vanessajackson.co[.]uk
  • www.yaran[.]co
  • www.ztm.waw[.]pl
  • 12a7898fe5c75e0b57519f1e7019b5d09f5c5cbe49c48ab91daf6fcc09ee8a30
  • 1421a5cd0566f4a69e7ca9cdefa380507144d7ed59cd22e53bfd25263c201a6f
  • 16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db
  • 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce
  • 2602e817a67949860733b3548b37792616d52ffd305405ccab0409bcfedc5d63
  • 2bb1637c80f0a7df7260a8583beb033f4afbdd5c321ff5642bc8e1868194e009
  • 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1
  • 3030d80cfe1ee6986657a2d9b76b626ea05e2c289dee05bd7b9553b10d14e4a1
  • 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433
  • 40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe
  • 42a4d9527063f73004b049a093a34a4fc3b6ea9505cb9b50b895486cb2dca94b
  • 4e3c7defd6f3061b0303e687a4b5b3cc2a4ae84cdc48706c65a7b1e53402efc0
  • 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d
  • 58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482
  • 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f
  • 58aec38e98aba66f9f01ca53442d160a2da7b137efbc940672982a4d8415a186
  • 5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae
  • 5ed5fc6c6918ff6fa4eab7742c03d59155ca87e0fe12bac339f18928e2924a96
  • 605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4
  • 81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3
  • 886e3a2f74bf8f46b23c78a6bad80c74fe33579f6fe866bc5075b034c4d5d432
  • 8b96804d861ea690fcb61224ec27b84476cf3117222cca05e6eba955d9395deb
  • 8ec108b8f66567a8d84975728b2d5e6a2786c2ca368310cca55acad02bb00fa6
  • 90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024
  • 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028
  • 96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd
  • 964aaf5d9b1c749df0a2df1f1b4193e5a643893f251e2d74b47663f895da9b13
  • 96d80ae577e9b899772a940b4941da39cf7399b5c852048f0d06926eb6c9868a
  • 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc
  • 99077dcb37395603db0f99823a190f50313dc4e9819462c7da29c4bc983f42fd
  • a2ad6bfc47c4f69a2170cc1a9fd620a68b1ebb474b7bdf601066e780e592222f
  • a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5
  • a6673c6d52dd5361afd96f8143b88810812daa97004f69661da625aaaba9363b
  • bb1a5fb87d34c63ade0ed8a8b95412ba3795fd648a97836cb5117aff8ea08423
  • c23ece07fc5432ca200f3de3e4c4b68430c6a22199d7fab11916a8c404fb63dc
  • cb96cd26f36a3b1aacabfc79bbb5c1e0c9850b1c75c30aa498ad2d4131b02b98
  • cf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823
  • d2a0eec18d755d456a34865ff2ffc14e3969ea77f7235ef5dfc3928972d7960f
  • d65e2086aeab56a36896a56589e47773e9252747338c6b59c458155287363f28
  • db7bdd6c3ff7a27bd4aa9acc17dc35c38b527fb736a17d0927a0b3d7e94acb42
  • de6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d
  • e8a832b04dbdc413b71076754c3a0bf07cb7b9b61927248c482ddca32e1dab89
  • ed2f9c9d5554d5248a7ad9ad1017af5f1bbadbd2275689a8b019a04c516eeec2
  • fcfbdffbcad731e0a5aad349215c87ed919865d66c287a6723fd8e2f896c5834
  • fe16543109f640ddbf3725e4d9f593de9f13ee9ae96c5e41e9cdccb7ab35b661
  • 106[.]187.38.21
  • 138[.]201.75.227
  • 144[.]76.109.88
  • 148[.]251.204.131
  • hxxp://106[.]187.38.21/short_qr/work[.]php?c=
  • hxxp://arbiogaz[.]com/upload/work.php?c=
  • hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=
  • hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=
  • hxxp://bangortalk.org[.]uk/speakers.php?c=
  • hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=
  • hxxp://camco.com[.]pk/controls/data.aspx?c=
  • hxxp://cbpexbrasilia.com[.]br/wp-content/plugins/wordpress-seo/power.php?c=
  • hxxp://cbpexbrasilia.com[.]br/wp-includes/widgets/work.php?c=
  • hxxp://cgss.com[.]pk/data.aspx?c=
  • hxxp://diplomat.com[.]sa/wp-content/plugins/wordpress-importer/cache.php?c=
  • hxxp://feribschat[.]eu/logs.php?c=
  • hxxp://ghanaconsulate.com[.]pk/data.aspx?c=
  • hxxp://magical-energy[.]com/css.aspx?c=
  • hxxp://magical-energy[.]com/css/css.aspx?c=
  • hxxp://mainandstrand[.]com/work.php?c=
  • hxxp://riyadhfoods[.]com/css/edu.aspx?c=
  • hxxp://riyadhfoods[.]com/jquery-ui/js/jquery.aspx?c=
  • hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=
  • hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=
  • hxxps://coa.inducks[.]org/publication.php?c=
  • hxxps://mhtevents[.]com/account.php?c=
  • hxxps://skepticalscience[.]com/graphics.php?c=
  • hxxp://suliparwarda[.]com/includes/panda.php?c=
  • hxxp://suliparwarda[.]com/layouts/joomla/logs.php?c=
  • hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=
  • hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=
  • hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=
  • hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=
  • hxxps://www.spearhead-training[.]com//html/power.php?c=
  • hxxps://www.spearhead-training[.]com/work.php?c=
  • hxxp://tmclub[.]eu/clubdata.php?c=
  • hxxp://watyanagr.nfe.go[.]th/e-office/lib/work.php?c=
  • hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=
  • hxxp://whiver[.]in/power.php?c=
  • hxxp://www.4seasonrentacar[.]com/viewsure/data.aspx?c=
  • hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=
  • hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=
  • hxxp://www.arcadecreative[.]com/work.php?c=
  • hxxp://www.armaholic[.]com/list.php?c=
  • hxxp://www.asan-max[.]com/files/articles/css.aspx?c=
  • hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=
  • hxxp://www.autotrans[.]hr/index.php?c=
  • hxxp://www.dafc.co[.]uk/news.php?c=
  • hxxp://www.eapa[.]org/asphalt.php?c=
  • hxxp://www.elev8tor[.]com/show-work.php?c=
  • hxxp://www.jdarchs[.]com/work.php?c=
  • hxxp://www.kunkrooann[.]com/inc/work.php?c=
  • hxxp://www.mackellarscreenworks[.]com/work.php?c=
  • hxxp://www.mitegen[.]com/mic_catalog.php?c=
  • hxxp://www.nigelwhitfield[.]com/v2/work.php?c=
  • hxxp://www.pomegranates[.]org/index.php?c=
  • hxxp://www.ridefox[.]com/content.php?c=
  • hxxp://www.shapingtomorrowsworld[.]org/category.php?c=
  • hxxp://www.vanessajackson.co[.]uk/work.php?c=
  • hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=
  • hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=
  • hxxp://www.ztm.waw[.]pl/pop.php?c=
download

Tip: 150 related IOCs (4 IP, 43 domain, 58 URL, 0 email, 45 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (11 cases): 16985600c959f6267476da614243a585b1b222213ec938351ef6a26560c992db, 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433, 40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe, 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc, a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5, cf87a2ac51503d645e827913dd69f3d80b66a58195e5a0044af23ea6ba46b823, de6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d

MuddyWaterMuddyWater APT Focuses on Espionage in the Middle East: A Technical Analysis

Source: Reaqta - November 2017

Detection (100 cases): 106[.]187.38.21, 144[.]76.109.88, 148[.]251.204.131, hxxp://106[.]187.38.21/short_qr/work[.]php?c=, hxxp://arbiogaz[.]com/upload/work.php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxp://bangortalk.org[.]uk/speakers.php?c=, hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=, hxxp://camco.com[.]pk/controls/data.aspx?c=, hxxp://cgss.com[.]pk/data.aspx?c=, hxxp://feribschat[.]eu/logs.php?c=, hxxp://ghanaconsulate.com[.]pk/data.aspx?c=, hxxp://magical-energy[.]com/css.aspx?c=, hxxp://magical-energy[.]com/css/css.aspx?c=, hxxp://mainandstrand[.]com/work.php?c=, hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=, hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=, hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=, hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=, hxxp://tmclub[.]eu/clubdata.php?c=, hxxp://watyanagr.nfe.go[.]th/e-office/lib/work.php?c=, hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=, hxxp://whiver[.]in/power.php?c=, hxxp://www.4seasonrentacar[.]com/viewsure/data.aspx?c=, hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=, hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=, hxxp://www.arcadecreative[.]com/work.php?c=, hxxp://www.armaholic[.]com/list.php?c=, hxxp://www.asan-max[.]com/files/articles/css.aspx?c=, hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=, hxxp://www.autotrans[.]hr/index.php?c=, hxxp://www.dafc.co[.]uk/news.php?c=, hxxp://www.eapa[.]org/asphalt.php?c=, hxxp://www.elev8tor[.]com/show-work.php?c=, hxxp://www.jdarchs[.]com/work.php?c=, hxxp://www.kunkrooann[.]com/inc/work.php?c=, hxxp://www.mackellarscreenworks[.]com/work.php?c=, hxxp://www.mitegen[.]com/mic_catalog.php?c=, hxxp://www.nigelwhitfield[.]com/v2/work.php?c=, hxxp://www.pomegranates[.]org/index.php?c=, hxxp://www.ridefox[.]com/content.php?c=, hxxp://www.shapingtomorrowsworld[.]org/category.php?c=, hxxp://www.vanessajackson.co[.]uk/work.php?c=, hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=, hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=, hxxp://www.ztm.waw[.]pl/pop.php?c=, hxxps://coa.inducks[.]org/publication.php?c=, hxxps://mhtevents[.]com/account.php?c=, hxxps://skepticalscience[.]com/graphics.php?c=, hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=, hxxps://www.spearhead-training[.]com//html/power.php?c=, hxxps://www.spearhead-training[.]com/work.php?c=, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 40a6b4c6746e37d0c5ecb801e7656c9941f4839f94d8f4cd61eaf2b812feaabe, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028, a6673c6d52dd5361afd96f8143b88810812daa97004f69661da625aaaba9363b, de6ce9b75f4523a5b235f90fa00027be5920c97a972ad6cb2311953446c81e1d, arbiogaz[.]com, azmwn.suliparwarda[.]com, bangortalk.org[.]uk, best2.thebestconference[.]org, camco.com[.]pk, cgss.com[.]pk, coa.inducks[.]org, feribschat[.]eu, ghanaconsulate.com[.]pk, magical-energy[.]com, mainandstrand[.]com, mhtevents[.]com, school.suliparwarda[.]com, skepticalscience[.]com, suliparwarda[.]com, tmclub[.]eu, wallpapercase[.]com, watyanagr.nfe.go[.]th, whiver[.]in, www.4seasonrentacar[.]com, www.akhtaredanesh[.]com, www.arcadecreative[.]com, www.armaholic[.]com, www.asan-max[.]com, www.autotrans[.]hr, www.dafc.co[.]uk, www.eapa[.]org, www.elev8tor[.]com, www.jdarchs[.]com, www.kunkrooann[.]com, www.mackellarscreenworks[.]com, www.mitegen[.]com, www.nigelwhitfield[.]com, www.pomegranates[.]org, www.ridefox[.]com, www.shapingtomorrowsworld[.]org, www.spearhead-training[.]com, www.vanessajackson.co[.]uk, www.yaran[.]co, www.ztm.waw[.]pl

MuddyWaterContinuing MuddyWater Phishing Campaign Targets Middle East and Pakistan

Source: Security 0wnage - November 2017

Detection (90 cases): 106[.]187.38.21, 148[.]251.204.131, hxxp://106[.]187.38.21/short_qr/work[.]php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/plugins/wpdatatables/panda.php?c=, hxxp://azmwn.suliparwarda[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxp://bangortalk.org[.]uk/speakers.php?c=, hxxp://best2.thebestconference[.]org/ccb/browse_cat.php?c=, hxxp://cbpexbrasilia.com[.]br/wp-content/plugins/wordpress-seo/power.php?c=, hxxp://cbpexbrasilia.com[.]br/wp-includes/widgets/work.php?c=, hxxp://diplomat.com[.]sa/wp-content/plugins/wordpress-importer/cache.php?c=, hxxp://feribschat[.]eu/logs.php?c=, hxxp://magical-energy[.]com/css.aspx?c=, hxxp://magical-energy[.]com/css/css.aspx?c=, hxxp://mainandstrand[.]com/work.php?c=, hxxp://riyadhfoods[.]com/css/edu.aspx?c=, hxxp://riyadhfoods[.]com/jquery-ui/js/jquery.aspx?c=, hxxp://school.suliparwarda[.]com/components/com_akeeba/work.php?c=, hxxp://school.suliparwarda[.]com/plugins/editors/codemirror/work.php?c=, hxxp://suliparwarda[.]com/wp-content/plugins/entry-views/work.php?c=, hxxp://suliparwarda[.]com/wp-content/themes/twentyfifteen/work.php?c=, hxxp://tmclub[.]eu/clubdata.php?c=, hxxp://watyanagr.nfe.go[.]th/watyanagr/power.php?c=, hxxp://whiver[.]in/power.php?c=, hxxp://www.akhtaredanesh[.]com/d/file/sym/work.php?c=, hxxp://www.akhtaredanesh[.]com/d/oschool/power.php?c=, hxxp://www.arcadecreative[.]com/work.php?c=, hxxp://www.armaholic[.]com/list.php?c=, hxxp://www.asan-max[.]com/files/articles/css.aspx?c=, hxxp://www.asan-max[.]com/files/articles/large/css.aspx?c=, hxxp://www.autotrans[.]hr/index.php?c=, hxxp://www.dafc.co[.]uk/news.php?c=, hxxp://www.eapa[.]org/asphalt.php?c=, hxxp://www.elev8tor[.]com/show-work.php?c=, hxxp://www.jdarchs[.]com/work.php?c=, hxxp://www.kunkrooann[.]com/inc/work.php?c=, hxxp://www.mackellarscreenworks[.]com/work.php?c=, hxxp://www.mitegen[.]com/mic_catalog.php?c=, hxxp://www.nigelwhitfield[.]com/v2/work.php?c=, hxxp://www.pomegranates[.]org/index.php?c=, hxxp://www.ridefox[.]com/content.php?c=, hxxp://www.shapingtomorrowsworld[.]org/category.php?c=, hxxp://www.vanessajackson.co[.]uk/work.php?c=, hxxp://www.yaran[.]co//wp-content/plugins/so-masonry/logs.php?c=, hxxp://www.yaran[.]co/wp-includes/widgets/logs.php?c=, hxxp://www.ztm.waw[.]pl/pop.php?c=, hxxps://coa.inducks[.]org/publication.php?c=, hxxps://mhtevents[.]com/account.php?c=, hxxps://skepticalscience[.]com/graphics.php?c=, hxxps://wallpapercase[.]com/wp-content/themes/twentyfifteen/logs.php?c=, hxxps://wallpapercase[.]com/wp-includes/customize/logs.php?c=, hxxps://www.spearhead-training[.]com//html/power.php?c=, hxxps://www.spearhead-training[.]com/work.php?c=, azmwn.suliparwarda[.]com, bangortalk.org[.]uk, best2.thebestconference[.]org, cbpexbrasilia.com[.]br, coa.inducks[.]org, diplomat.com[.]sa, feribschat[.]eu, magical-energy[.]com, mainandstrand[.]com, mhtevents[.]com, riyadhfoods[.]com, school.suliparwarda[.]com, skepticalscience[.]com, suliparwarda[.]com, tmclub[.]eu, wallpapercase[.]com, watyanagr.nfe.go[.]th, whiver[.]in, www.akhtaredanesh[.]com, www.arcadecreative[.]com, www.armaholic[.]com, www.asan-max[.]com, www.autotrans[.]hr, www.dafc.co[.]uk, www.eapa[.]org, www.elev8tor[.]com, www.jdarchs[.]com, www.kunkrooann[.]com, www.mackellarscreenworks[.]com, www.mitegen[.]com, www.nigelwhitfield[.]com, www.pomegranates[.]org, www.ridefox[.]com, www.shapingtomorrowsworld[.]org, www.spearhead-training[.]com, www.vanessajackson.co[.]uk, www.yaran[.]co, www.ztm.waw[.]pl

MuddyWaterUnveiling MuddyWater Phishing Campaign: Middle Eastern Governments in the Crosshairs

Source: Security 0wnage - October 2017

Detection (17 cases): 138[.]201.75.227, 144[.]76.109.88, 148[.]251.204.131, 1b60b7f9b0faf25288f1057b154413921a6cb373dcee43e831b9263c5b3077ce, 2c8d18f03b6624fa38cae0141b91932ba9dc1221ec5cf7f841a2f7e31685e6a1, 367021beedb3ad415c69c9a0e657dc3ed82b1b24a41a71537d889f5e2b7ca433, 58282917a024ac252966650361ac4cbbbed48a0df7cab7b9a6329d4a04551c0d, 58898648a68f0639c06bedc8242ca48bc6ec56f11ed40d00aa5fdda4e5553482, 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f, 5d049bd7f478ea5d978b3c78f7f0afdf294a94f526fc20ffd6e33022d40d15ae, 605fefc7829cfa41710e0b844084eab1f180fe513adc1d8f0f82501a154db0f4, 81523e0199ae1dc9e87d2b952642785bfbda6326f22e4c0794a19afdf001a9a3, 90b66b3fef77962fbfda364a4f8799bfcc9ab73772026d7a8922a7cf5556a024, 917a6c816684f22934e2998f43633179e14dcc2e609c6931dd2fc36098c48028, 96101de2386e35bc5e38d32524a02c6c5ca7cc6624e656a629b2e0f1693a76fd, 97f9a83bc6bb1b3f5cb7ac9401f95265597bff796bb4901631d6fa2c79a48bdc, a3c1fd46177a078c4b95c744a24103df7d0a58cee1a3be92bc4cdd7dec1b1aa5

UnknownSaudi Arabian Government Hit by Stealthy Macro Malware

Source: Malwarebytes - September 2017

Detection (one case): 144[.]76.109.88

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights