The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater’s ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.
“MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM’s Cyber National Mission Force (CNMF) said in a statement. “These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.”
The agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor’s provenance.
Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, MuddyWater is known for its attacks primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been active at least since 2017.
Recent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as ScreenConnect and Remote Utilities to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.
Last month, Symantec’s Threat Hunter Team publicized findings about a new wave of hacking activities unleashed by the Muddywater group against a string of telecom operators and IT companies throughout the Middle East and Asia during the previous six months using a blend of legitimate tools, publicly available malware, and living-off-the-land (LotL) methods.
Also incorporated into its toolset is a backdoor named Mori and a piece of malware called PowGoop, a DLL loader designed to decrypt and run a PowerShell-based script that establishes network communications with a remote server.
Malware samples attributed to the advanced persistent threat (APT) have been made available on the VirusTotal malware aggregation repository, which can be accessed here.
“Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques,” SentinelOne researcher Amitai Ben Shushan Ehrlich said. “While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.”