• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 

Watch out, Veeam fixed a new critical bug in Backup & Replication product

 | 

U.S. CISA adds Linux Kernel flaw to its Known Exploited Vulnerabilities catalog

 | 

News Flodrix botnet targets vulnerable Langflow servers

 | 

U.S. CISA adds Apple products, and TP-Link routers flaws to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor

Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor

Pierluigi Paganini November 17, 2017

Researchers are investigating a mysterious wave of attacks in the Middle East that was dubbed MuddyWater due to the confusion in attributing the.

Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.

“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”

MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.

The malicious documents associated with this last wave of attacks had been tailored according to the target regions.

Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.

Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.

The hackers maintained the same final payload while changing delivery methods between attacks.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.

The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.

In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.

“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.

The experts managed a number of GitHub repositories related to their malware.

The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.

MuddyWater

According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.

Threat actors might have planted a false flag to make hard the attribution.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – MuddyWater , APT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT Cyberespionage Middle East MuddyWater

you might also like

Pierluigi Paganini June 23, 2025
McLaren Health Care data breach impacted over 743,000 people
Read more
Pierluigi Paganini June 23, 2025
American steel giant Nucor confirms data breach in May attack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    American steel giant Nucor confirms data breach in May attack

    Data Breach / June 23, 2025

    The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

    Cyber Crime / June 23, 2025

    Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

    Cyber warfare / June 23, 2025

    Qilin ransomware gang now offers a "Call Lawyer" feature to pressure victims

    Breaking News / June 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT