MUDDYWATER APT GROUP
MuddyWater is an Iranian threat group. Researchers at Cisco Talos believe the MuddyWater hackers were “a group of multiple teams working independently rather than a single group of threat actors,” primarily targeting Middle Eastern countries but also European and North American countries, followed by Turkey and other Asian countries. It states that they are aggressors, carrying out campaigns against various sectors, including national and local governments and ministries, universities and private organizations such as telecommunications providers.
In November 2021, Cisco Talos observed a campaign targeting Turkish government institutions, including Tübitak.
ATTACK OBJECTIVES
MuddyWater has three purposes when performing its attacks:
Cyber Espionage: Occurs when a threat actor attacks an organization for political reasons. In MuddyWater's case, they support the nation-state's political dominance in the Middle East and are motivated in part by nation-state interests.
Intellectual Property Theft: It is done when threat actors aim to capture inventions, patents, and trade secrets of companies or specific individuals. MuddyWater achieves this by running aggressive campaigns against government-affiliated institutions such as research companies and universities.
Ransomware Attacks: Typically, ransomware attacks occur when a threat actor seeks a ransom in exchange for stolen data. In the MuddyWater example, they tried to insert ransomware like Thanos into networks to do two things:
- Destroying evidence of their presence on the network or system
- Disrupting the operations of private entities.
MuddyWater hosts malicious documents downloaded by malicious PDFs. PDFs are distributed via email and are designed to trick targets into downloading and opening them. Research shows that MuddyWater uses malicious PDFs as entry points for its attacks.
It tries to get the victim to open the sent PDF file. He uses some convincing tactics to get the victim to open the PDF file.
PERMANENCE
Additionally, a number of malicious Excel spreadsheet files were found distributed with Turkish names, some of which appeared to be legitimate documents obtained from the Turkish Ministries of Health and Internal Affairs.
What is intended to be done here with the value written to the registry is to ensure that it is executed at every system startup, that is, to ensure permanence in the system.
CHAIN OF INFECTION BASED ON MALICIOUS EXECUTABLE FILES
The initial distribution mechanism of infection chains consists of malicious PDF files. URLs corresponding to the download button in PDF files often contain malicious XLS files containing macros that distribute subsequent VBS and PS1 scripts.
However, recently there has been a change in this chain of infection. This second variation consists of PDF pointing to a URL that serves an EXE in the infection chain instead of malicious XLS files.
Some of the precautions that can be taken against MuddyWater threats:
- Using Multi-Factor Authentication.
- Enabling anti-malware and anti-virus software.
- Regularly installing updates and patches for the operating system and software as they are released.
- Training users to recognize and report social engineering and phishing attempts.
- Avoid clicking on hyperlinks or attachments in emails or messages from unknown or untrusted sources.
TECHNIQUES THEY USED IN THEIR PREVIOUS ATTACKS
TTP IP | Technical |
---|---|
T1059 | Command and Scripting Interpreter: Powershell |
T1027 | Obfuscated Files or Information |
T1036 | masquerading |
T1574.002 | Hijack Execution Flow: DLL Side-Loading |
T1132 | Data Encoding |
T1572 | Protocol Tunneling |
CURRENT TECHNIQUES
TTP IP | Technical |
---|---|
T1566.001 | Spearphisting Attachment |
T1204 | User Execution |
T2059.001 | Command and Scripting Interpreter: Powershell |
T1547.001 | Registry Run Keys/Startup Folder |
T1027 | Obfuscated Files or Information |
T1053.005 | Scheduled Task/Job: Scheduled Task |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
T1047 | Windows Management Instrumentation |
T1071 | Application Layer Protocol |