Iranian Hackers Targeting Turkey
The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems.
“The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise,” Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report published today.
The group, which has been active since at least 2017, is known for its attacks on various sectors that help further advance Iran’s geopolitical and national security objectives. In January 2022, the U.S. Cyber Command attributed the actor to the country’s Ministry of Intelligence and Security (MOIS).
Google: Russian Hackers Target Ukrainians, European Allies via Phishing Attacks
MuddyWater is also believed to be a “conglomerate of multiple teams operating independently rather than a single threat actor group,” the cybersecurity firm added, making it an umbrella actor in the vein of Winnti, a China-based advanced persistent threat (APT).
The latest campaigns undertaken by the hacking crew involve the use of malware-laced documents delivered via phishing messages to deploy a remote access trojan called SloughRAT (aka Canopy by CISA) capable of executing arbitrary code and commands received from its command-and-control (C2) servers.
The maldoc, an Excel file containing a malicious macro, triggers the infection chain to drop two Windows Script Files (.WSF) on the endpoint, the first one of them acting as the instrument to invoke and execute the next-stage payload.
Also discovered are two additional script-based implants, one written in Visual Basic and the other coded in JavaScript, both of which are engineered to download and run malicious commands on the compromised host.
Iranian Hackers Targeting Turkey
