MuddyWater APT group is back with updated TTPs

The Iran-linked MuddyWater APT is targeting countries in the Middle East as well as Central and West Asia in a new campaign.

Deep Instinct’s Threat Research team uncovered a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.

The experts pointed out that the campaign exhibits updated TTPs.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The group evolved over the years by adding new attack techniques to its arsenal. Over the years the APT group also has also targeted European and North American nations. In January, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The campaign observed by Deep Instinct started in September differs from past ones for the use of a new remote administration tool named “Syncro.” MuddyWater is not the only threat actor abusing Syncro, the tool has also been employed in BatLoader and Luna Moth campaigns

The APT group used an HTML attachment as a lure and used additional providers for hosting the archives containing the installers of the remote administration tool.

HTML attachments are often delivered to the recipients and not blocked by antivirus and email security solutions.

In July, the threat actors were spotted using the ScreenConnect remote administration tool delivered using an installer named “promotion.msi.” The name “promotion.msi” was also used for the installers employed in the current campaign.

“The above ScreenConnect sample was communicating with “instance-q927ui-relay.screenconnect.com.” This instance was communicating with another MuddyWater MSI installer named “Ertiqa.msi” which is a name of a Saudi organization. In the current wave, MuddyWater used the same name “Ertiqa.msi,” but with Syncro installer.” reads the Deep Instinct’s analysis. “The target geolocations and sectors also align with previous targets of MuddyWater. Combined, these indicators provide us with enough proof to confirm that this is the MuddyWater threat group.”

Syncro has a 21-day trial offer that provides a fully featured web GUI to completely control a computer.

“You choose the subdomain to be used by your MSP.” continues the report. “While investigating some of the installers that MuddyWater used, we see that for each unique mail a new MSI was used. In most cases MuddyWater used a single subdomain with a single MSI installer.”

The experts also shared Indicators of Compromise (IoCs) for the recent campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MuddyWater)

[adrotate banner=”5″]

[adrotate banner=”13″]