US CNMF discloses malware used by Iranian APT MuddyWater that could target telecom, oil sectors
The U.S. Cyber Command’s Cyber National Mission Force (CNMF) identified on Wednesday multiple open-source tools used by an Iranian advanced persistent threat (APT) group, known as MuddyWater, as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
The MITRE ATT&CK which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations lists MuddyWater as “an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to FIN7, but the group is believed to be a distinct group possibly motivated by espionage,” it added.
“MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets critical infrastructure telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America,” Paul Veeneman, a cybersecurity expert, wrote in a LinkedIn post.
According to CNMF, “MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.”
New samples showing the different parts of this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure, it added. The agency also said in a Twitter message that MuddyWater and other Iranian MOIS APTs “are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic.”
The CNMF cited a Congressional Research Service from July last year that said the “MOIS conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies. It works closely with IRGC-Qods Force agents outside Iran, although the two institutions sometimes differ in their approaches, as has been reportedly the case in deciding on which politicians to support in Iraq.”
Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors, the CNMF said.
Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques, Amitai Ben Shushan Ehrlich, wrote in a blog post for SentinelOne on Wednesday. “While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection. This is observed through the three distinct activities observed and analyzed in this report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of Exchange servers in high-profile organizations,” he added.
Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups, according to Ehrlich. “Even so, it appears MuddyWater’s persistency is a key to their success, and their lack of sophistication does not appear to prevent them from achieving their goals,” he added.
Earlier this week, U.S. security agencies released a joint cybersecurity advisory (CSA), providing an overview of Russian state-sponsored cyber operations, with their commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations. The overview is intended to help the cybersecurity community, especially critical infrastructure network defenders, reduce the risk presented by these threats.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
