Iranian government-sponsored hackers target government, commercial networks using MuddyWater malware
A group of Iranian government-sponsored advanced persistent threat (APT) actors, known as ‘MuddyWater malware,’ have targeted a range of government and private-sector organizations across various sectors, including telecommunications, defense, local government, and oil and natural gas, across Asia, Africa, Europe, and North America, according to alert issued by the U.S. and U.K. security agencies.
“MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS),” the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command Cyber National Mission Force (CNMF), along with the U.K.’s National Cyber Security Centre (NCSC-UK) observed in a joint cybersecurity alert issued on Thursday.
“FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity,” it added.
Late January, researchers at Cisco Talos had identified a campaign operated by MuddyWater hackers, targeting Turkish private organizations alongside governmental institutions. It also attributed the campaign with high confidence to MuddyWater, an APT group recently attributed to Iran’s MOIS.
“This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise,” the researchers said in a blog post. “MuddyWater’s use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command,” it added.
Thursday’s joint cybersecurity alert revealed that the MuddyWater malware is positioned both to provide stolen data and access to the Iranian government, and to share these with other malicious hackers. The group is known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These hackers also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs) to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions.
As part of its spearphishing campaign, the MuddyWater malware attempts to coax targeted victims into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network, the agencies said.
MuddyWater malware also use techniques, such as side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide C2 functions, the alert said. The group also uses multiple malware sets, including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS, for loading malware, backdoor access, persistence, and exfiltration.
Of the 23 files identified as MuddyWater tools and malware samples analyzed, 14 files were identified as variants of the POWGOOP malware family, the CISA said in its Malware Analysis Report.
“Two files were identified as JavaScript files that contain a PowerShell beacon. One file was identified as a Mori backdoor sample,” the report identified. “Two malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim’s system data to a command and control (C2),” it added.
The NCSC-UK analyzed Small Sieve, a simple Python backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, which places the Python backdoor and adds it as a registry run key, enabling persistence, the alert said. MuddyWater malware disguises malicious executables and uses filenames and Registry key names associated with Microsoft’s Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft, such as “Microsift” and Outlook in its filenames associated with Small Sieve, it added.
On Wednesday, U.S. and U.K. security agencies warned of another hacker identified as Sandworm or Voodoo Bear that uses a new malware, referred to as ‘Cyclops Blink.’ The agencies have previously attributed the Sandworm hacker to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST), the alert added.
“Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices,” the alert said. “This advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm,” it added.
The BlackEnergy disruption of Ukrainian electricity in 2015, Industroyer in 2016, NotPetya in 2017, attacks against the Winter Olympics and Paralympics in 2018, and a series of disruptive attacks against Georgia in 2019 have previously been attributed to Sandworm.
Earlier this week, the CISA warned critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. The measure comes amid the escalating situation of Russia-Ukraine geopolitical tensions.
Additionally, the security agency issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
