Threats Feed|MuddyWater|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date15/04/2019

MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malicious Macro
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

Reference and Credit: ClearSky - April 2019

Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey

Detected Targets

TypeDescriptionConfidence
CaseIraq Kurdistan Regional Government
The Kurdistan Regional Government (KRG) is the official executive body of the autonomous Kurdistan Region of northern Iraq. Iraq Kurdistan Regional Government has been targeted by MuddyWater with abusive purposes.
Verified
CaseKomala Party of Iranian Kurdistan
The Komala Party of Iranian Kurdistan commonly shortened to Komalah, is a social-democratic ethnic party of Kurds in Iran. Komala Party of Iranian Kurdistan has been targeted by MuddyWater as the main target.
Verified
SectorDefense
Verified
SectorMilitary
Verified
SectorPolitical
Verified
RegionIraq
Verified
RegionTurkey
Verified

Extracted IOCs

  • 0638adf8fb4095d60fbef190a759aa9e
  • 09aabd2613d339d90ddbd4b7c09195a9
  • 21aebece73549b3c4355a6060df410e9
  • 2b938a9b20e7abcadd28a0f461a4e5d8
  • 5c1af7d3dbb9bc455b793f1e3e0b2554
  • 76f6c0bf075f9ae02a9a9e08cce1297d
  • 8a004e93d7ee3b26d94156768bc0839d
  • 8a7b2167c14a0158b3e9a43453a3e8f3
  • a066f5b93f4ac85e9adfe5ff3b10bc28
  • c8b271efec98e83a343933a32eff30d5
  • cfa845995b851aacdf40b8e6a5b87ba7
  • d4de6b8ffcd878359315594515dd33c0
  • eed599981c097944fa143e7d7f7e17b1
  • f12bab5541a7d8ef4bbca81f6fc835a3
  • 34bfdae99838f048d9950614d338ec06653eacee
  • 6d0050f16c61cf1584bdfd6ab891d5b9d4d6bbf3
  • 78c1279f80c76d12debf9e875d14b4788bd88a39
  • 9732cf8c9e84e992d8856537dc5988371bb73f7c
  • b604dd6517dfd0df72e52ebc3f92da699c1396cd
  • cc183b583d24147766533876d9b9b54b6f1f4aaf
  • dbab599d65a65976e68764b421320ab5af60236f
  • 062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717
  • 0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2
  • 4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60
  • 6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad
  • 7b4da8f9ffa435c689923b7245133ee032f99fcd841516f2e2275fb4b76d28f9
  • bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6
  • c25eeac6044dbc87c37063a9c6ed80c73966e41d50fc96065c2793fbf841ef3c
  • 185[.]247.137.89
  • 46[.]105.84.146
  • 51[.]255.219.222
  • 94[.]23.148.194
  • 46[.]105.84.146:443/wordoffice[.]jpg
download

Tip: 33 related IOCs (4 IP, 0 domain, 1 URL, 0 email, 28 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (seven cases): 0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2, 21aebece73549b3c4355a6060df410e9, 9732cf8c9e84e992d8856537dc5988371bb73f7c, b604dd6517dfd0df72e52ebc3f92da699c1396cd, bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6, dbab599d65a65976e68764b421320ab5af60236f, eed599981c097944fa143e7d7f7e17b1

MuddyWaterBlackWater Campaign: MuddyWater's Advanced Evasion and Persistence Techniques

Source: Rewterz - May 2019

Detection (five cases): 94[.]23.148.194, 0638adf8fb4095d60fbef190a759aa9e, 21aebece73549b3c4355a6060df410e9, d4de6b8ffcd878359315594515dd33c0, eed599981c097944fa143e7d7f7e17b1

MuddyWaterMuddyWater's BlackWater: An In-depth Look at Advanced TTPs

Source: Cisco Talos - May 2019

Detection (six cases): 94[.]23.148.194, 062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717, 0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2, 4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60, 6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad, bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6

MuddyWaterMuddyWater Cyber Campaign Expands to Target Korek Telecom in Iraq

Source: 360 ​​Threat Intelligence Center - March 2019

Detection (three cases): 46[.]105.84.146, 94[.]23.148.194, 09aabd2613d339d90ddbd4b7c09195a9

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
MuddyWater
View MuddyWater's Insights