MuddyWater hackers now detected in cyber attacks targeting industries across Turkey, other Asian countries

Researchers at Cisco Talos have observed cyber attackers targeting Turkey and other Asian countries that they believe with high confidence are from groups operating under the MuddyWater umbrella of advanced persistent threat (APT) groups. The MuddyWater hackers are believed to be ‘a conglomerate of multiple teams operating independently rather than a single threat actor group,’ and conduct campaigns against various industries, including national and local governments and ministries, universities and private entities, such as telecommunication providers. 

“These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript,” Cisco said in a blog post last week. U.S. security agencies had also recently linked the MuddyWater hackers to Iran’s Ministry of Intelligence and Security (MOIS).

Cisco Talos has identified multiple campaigns and tools being perpetrated by the MuddyWater APT group, widely considered to be affiliated with Iranian interests. These threat actors are considered extremely motivated and persistent when it comes to targeting victims across the globe, it added. 

Talos had disclosed a MuddyWater campaign in January targeting Turkish entities that leveraged maldocs and executable-based infection chains to deliver multistage, PowerShell-based downloader malware. The group previously used the same tactics to target other countries in Asia, such as Armenia and Pakistan.

“In our latest findings, we discovered a new campaign targeting Turkey and the Arabian peninsula with maldocs to deliver a Windows script file (WSF)-based remote access trojan (RAT) we’re calling ‘SloughRAT’ an implant known by ‘canopy’ in CISA’s most recent alert from February 2022 about MuddyWater,” the researchers wrote. “This trojan, although obfuscated, is relatively simple and attempts to execute arbitrary code and commands received from its command and control (C2) servers,” they added.

Canopy was identified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its alert last month on the MuddyWater hackers. The APT group is said to have conducted campaigns against various industries, including national and local governments, ministries, universities, and private entities such as telecommunication providers. 

The Cisco investigation has also led to the discovery of the use of two additional script-based implants – one written in Visual Basic (VB) between late 2021 to 2022, and one in JavaScript  between 2019 to 2020, which also downloads and runs arbitrary commands on the victim’s system.

MuddyWater’s variety of lures and payloads, along with the targeting of several different geographic regions, suggest that the APT hacker group is a conglomerate of smaller teams, with each team using different targeting tactics against specific regions of the world, the researchers said. 

Cisco also found that they appear to share some techniques and evolve them as needed. “This sharing is possibly the result of contractors that move from team to team, or the use of the same development and operational contractors across each team,” according to the researchers. “The latter also explains why we have seen simple indicators such as unique strings and watermarks shared between MuddyWater and the Phosphorus (aka APT35 and Charming Kitten) APT groups. These groups are attributed to different Iranian state organizations — the MOIS and IRGC, respectively,” they added.

Cisco said that a variety of campaigns analyzed are marked by the development and use of distinct infection vectors and tools to gain entry, establish long-term access, siphon valuable information and monitor their targets. “The MuddyWater teams appear to share TTPs, as evidenced by the incremental adoption of various techniques over time in different MuddyWater campaigns,” it added.

The researchers initially observed the usage of tokens for signaling last April in a campaign against Pakistan through a simple dropper that downloads the ‘Connectwise’ remote administration tool. “Later, in June, we see the first usage of the executable dropper against Armenia. The dropped payload is a PowerShell script that loads another PowerShell script that downloads and executes a final PowerShell-based payload,” they added.

The two techniques were then combined later in August in a campaign targeting Pakistan, this time still using the homemade tokens, according to the researchers. Later, the actors graduated to a more professional implementation of the token by using canarytokens[.]com’s infrastructure. canarytokens[.]com is a legitimate service that MuddyWater uses to make their operations appear less suspicious. These techniques were next leveraged in a November campaign targeting Turkey, wherein the MuddyWater hackers used maldocs with tokens and the same executable droppers previously seen targeting Armenia and Pakistan, they added.

Last March, MuddyWater hackers were observed using the Ligolo reverse-tunneling tool in attacks on Middle Eastern countries. The tactic was later reused in December, along with the introduction of a new implant. Beginning in December, Cisco observed MuddyWater using a new WSF-based RAT that it named ‘SloughRAT’ to target countries in the Arabian Peninsula. During its investigation, the researchers detected another version of SloughRAT being deployed against entities in Jordan. 

All these attacks trace a pattern of multiple commonalities in some key infection artifacts and TTPs, while retaining enough operational distinctions, the researchers said. The pattern can be broken down into the introduction of a TTP in one geography, a delay of typically two or three months, then the reuse of that same TTP in a completely different geography, alongside other proven TTPs borrowed from campaigns conducted in another geography. Subsequently, the introduction of at least one new TTP completely novel to MuddyWater’s tactics in almost every geographically distinct campaign, they added.

Cybersecurity firm Mandiant identified last week that the persistent effort of a prolific Chinese state-sponsored espionage group, APT41, allowed them to compromise at least six U.S. state government networks by exploiting vulnerable Internet-facing web applications. 

Last week, the Office of the Director of National Intelligence (ODNI) assessed potential cyber-attacks from China, Iran, North Korea, Russia on U.S. critical infrastructure sector. It evaluated that China ‘presents the broadest, most active, and persistent cyber-espionage threat’ to U.S. government and private sector networks. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.