Executive Summary
In February 2022, CISA, the Federal Bureau of Investigation (FBI), the U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) released a joint statement regarding their observation of Iranian government-sponsored APT MuddyWater and their malicious cyber activity. MuddyWater is known for cyber espionage, as well as other cybercriminal operations as part of Iran’s Ministry of Intelligence and Security.
The threat actors have targeted several government and private sector organizations in the defense, oil and natural gas, local government, and telecommunications industries – focusing on Asia, Africa, Europe, and North America.
MuddyWater conducts broad cyber campaigns, exploiting publicly reported vulnerabilities and using open-source tools and strategies to gain access to their target’s systems. Let’s take a look at MuddyWater, their tactics, and their techniques, as well as the current state of cyber espionage.
Also, known as MERCURY, Earth Vetala, Static Kitten, Seedworm, and TEMP.Zagros, MuddyWater is an Iranian APT and a subservient element within the Iranian Ministry of Intelligence and Security (MOIS). The group has been active since 2018 and has provided stolen data and access to the Iranian government by exploiting known vulnerabilities and using open-source tools to deploy their ransomware.
In November 2021, Cisco Talos observed a campaign targeting Turkey government entities, including the Scientific and Technological Research Council of Turkey – Tubitak. MuddyWater has three goals when conducting their attacks: cyber espionage, intellectual property theft, and ransomware attacks.
MuddyWater uses several malware variants such as PowGoop, Canopy, Small Sieve, POWERSTATS, and Mori. MuddyWater also uses malicious documents to deploy Remote Access Trojans (RATs) on vulnerable systems. According to Cisco Talos, MuddyWater plants a malicious macro in their documents that, once triggered, drops two WSF files on the endpoint. Additionally, MuddyWater uses DNS to contact the command and control (C2), while original contact with hosting servers is done via HTTP. PowerShell and Visual Basic scripting are used for their initial payload, in addition to LoLBins to assist in the initial stages of infection.
As we previously stated, MuddyWater was seen targeting Turkish government entities in November 2021. Cisco Talos observed that the campaign included malicious Excel documents (also known as XLS maldocs) and executables stored on a file hosting domain named “snapfile[.]org” that’s delivered to victims via PDF documents with embedded links.
MuddyWater hosts the maldocs on attacker-controlled or public media-sharing websites which are downloaded by malicious PDFs. The PDFs are distributed via email and are designed to trick targets into downloading and opening them. Research shows that MuddyWater uses malicious PDFs as their entry point for their attacks. Additionally, a set of malicious Excel spreadsheet files were seen distributed with Turkish names, some masquerading as legitimate documents from the Turkish Health and Interior Ministries.
Image 1: Files with Turkish Names
Source: Cisco Talos
MuddyWater’s maldocs include malicious VBA macros that are instrumental in the infection chain. This infection chain has three key artifacts on the infected endpoint. According to Cisco Talos, they include:
As stated above, the delivery method for MuddyWater’s malware is done by distributing malicious PDFs with embedded links. The first stage includes the target trying to open the PDF file, which then displays an error message that asks the target to click on a link to resolve the issue. After clicking the download button, the endpoint receives a second stage which is a Windows executable or a malicious XLS file.
Image 2: Infection Chain
Source: Cisco Talos
Sometimes, MuddyWater uses decoy documents in the executable-based threat vector with content that’s similar to the original PDF files disseminating the maldocs and executables. Malicious PowerShell scripts are downloaded and executed once the victim opens the document. In this infection chain, intermediate VBS scripts are replaced with a PowerShell implementation, which creates a directory in the victim’s home folder. There are two PowerShell scripts stored in the directory:
In August 2021, MuddyWater deployed another version of the executable and targeted Pakistani entities. This version also included a decoy document followed by the use of a PowerShell-based downloader script. The Registry run key is used for persistence. It’s unclear if the Turkish attacks in November 2021 were a continuation of Pakistani-related activity.
Image 3: Malicious Document Sent to Pakistan Victims
Source: Cisco Talos
In April 2021, MuddyWater was observed deploying a RAT and the EXE-based infection vector from the Pakistan attack. They were also seen targeting Armenia in June 2021 using the same types of Windows executable files. All of the above campaigns used an implementation of signaling tokens.
Image 4: MuddyWater Campaigns Observed by Talos
Source: Cisco Talos
Because MuddyWater has used a variety of lures and has targeted different geographic regions, cyber analysts are saying that MuddyWater is more than likely a conglomerate of subgroups and not a single threat actor. The sub-groups that Cisco Talos observed appear to operate independently and are motivated by espionage, intellectual theft, and destructive or disruptive operations based on their victims.
The Turkish, Pakistan, and other campaigns researchers observed, involve the same TTPs - which is evidenced by the gradual adoption of various techniques over time within the campaigns. Cisco Talos believes there are links between the various campaigns, including MuddyWater’s migration of “techniques from region to region, along with their evolution into more advanced versions.”
Most nation-state threat actors’ goal is cyber espionage, which makes them a serious threat to the U.S. and other countries. We previously mentioned that cyber espionage is primarily politically motivated and today’s threat landscape is seeing this kind of cyber attack more frequently.
Although it can be difficult for law enforcement to crack down on nation-state threat actors, there has been some success in finding and arresting some groups. In March 2022, Avertium published a report featuring the nation-state threat actor APT40 and their espionage attacks on the maritime, robotics, and biomedical industries. The threat actor has focused their attacks on the U.S., Canada, Europe, the Middle East, and the South China Sea.
In July 2019, four members of the group were charged with attacking governments, universities, and various companies across the globe on behalf of the Chinese government. The four suspects were a part of a much larger operation that set up a company (Hainan Xiandun) as a front for their attack campaigns. According to the Intrusion Truth blog, Hainan Xiandun was under the direction of the Chinese Ministry of State Security (MSS), and an employee, Wu Shurong, worked as a hired hacker for the company. Shurong created malware and used it to compromise computer systems belonging to universities, governments, and companies.
The other three suspects were MSS officers who worked for the Hainan provincial department, their names are Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin. The U.S. alleged that the MSS has directed Bronze Mohawk’s attack campaigns since 2011 – directing them to steal confidential business information for dissemination in China. Bronze Mohawk’s attacks were conducted for the sole purpose of leaking sensitive information.
In 2021, President Biden stated that one of his goals was to strengthen the nation’s cyber security and bring other countries together to combat cybercrime and improve law enforcement cooperation. President Biden also acknowledged that securing supply chains and maintaining strong cyber security best practices should be continued work. This statement came after the attack on Kaseya – a supply chain ransomware attack conducted by REvil. Although the Kaseya attack was a ransomware supply-chain attack, supply chain attacks and nation-state threat actors are often linked.
In March 2022, the FBI stopped the Russian-state Cyclops Blink botnet from attacking the U.S. Cyclops Blink is a modular malware that infects internet-connected devices via firmware updates – targeting WatchGuard and ASUS devices. Cyclops Blink is controlled by the Russian Federation’s Main Intelligence Directorate and has compromised thousands of devices worldwide to date.
At the end of 2021, Security Week published an article stating that cyber espionage will remain a primary motive for nation-state adversaries in 2022.
“Hostile state activity will continue to focus primarily on espionage rather than on disruption and destruction. Several states, notably China, Russia, and Iran, will continue to conduct operations aimed at harvesting bulk data to support subsequent cyber operations and traditional espionage activities.” – Security Week
Threat actors like MuddyWater can gain unlimited access to networks and systems, furthering reconnaissance. Avertium is here to keep your organization safe and to mitigate any attacks caused by APTs like MuddyWater:
To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR (Digital Forensics and Incident Response) services in your protection plan. We offer DFIR to mitigate damage from a successful breach. This service is provided as an on-demand crisis response service, as well as a retainer-based program.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
MDR provides an in-depth investigation into potential threats to an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.
Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
Avertium offers user awareness training through KnowBe4. The service also Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.
Tabletop Exercises: Have a good cyber incident response plan in place that has been tested with tabletop exercises.
Security Review: Be sure to review the plan and improve it every time it’s tested on real cyber threats.
Risk Analysis: Prevent an attack by ensuring your organization has a detailed defense strategy based on a risk analysis approach.
Cybersecurity Education: Educate your employees on cyber security preparedness and the dangers of opening potentially malicious documents. Annual or quarterly training modules can help prevent threat actors from tricking employees into opening malicious email attachments.
[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control
[T1560.001] Archive Collected Data: Archive via Utility
[T1509.001] Command and Scripting Interpreter: PowerShell
[T1509.003] Command and Scripting Interpreter: Windows Command Shell
[T1555] Credentials from Password Stores
[T1041] Exfiltration Over C2 Channel
[T1589.002] Gather Victim Identity Information: Email Addresses
Canary Tokens
File Hashes
IPs
Cyber Insights 2022: Nation-States | SecurityWeek.Com
Statement by President Joe Biden on Cybersecurity Awareness Month | The White House
Iranian APT: New Methods to Target Turkey, Arabian Peninsula (bankinfosecurity.com)
FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate (hackread.com)
Intellectual Property (IP) Theft Definition & Examples | Awake Security
LaZagne, Software S0349 | MITRE ATT&CK®
MuddyWater targets Middle Eastern and Asian countries in phishing attacks | TechRepublic
U.S. says Iranian 'MuddyWater' cyber actors targeting various sectors worldwide | Reuters
Biden Directs ‘Full Resources’ to Respond to Kaseya Ransomware Attack – MeriTalk
"Bronze Mohawk" & Cyber Espionage (avertium.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.