Connect with us

Hi, what are you looking for?



Middle East ‘MuddyWater’ Attacks Difficult to Clear Up

Long-lasting targeted attacks aimed at entities in the Middle East are difficult to attribute despite being analyzed by several researchers, Palo Alto Networks said this week.

Long-lasting targeted attacks aimed at entities in the Middle East are difficult to attribute despite being analyzed by several researchers, Palo Alto Networks said this week.

Dubbed “MuddyWater” by the security firm because of the high level of confusion they have already created, the attacks took place between February and October 2017. The campaign has made use of a variety of malicious documents, and hit targets in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The attacks, researchers say, use a slowly evolving PowerShell-based first stage backdoor named POWERSTATS. The activity related to this threat actor continues despite existing reports, with the only observed changes being related to tools and techniques.

The malicious documents used in these attacks are almost identical to those in recently observed incidents targeting the Saudi Arabian government. Those documents were similar to files previously associated with a series of fileless assaults that Morphisec linked to a single attack framework. Some of these attacks were attributed to the hacking group known as FIN7.

According to a new Palo Alto Networks report, the attacks might have been mistakenly associated with the FIN7 group. A command and control (C&C) server delivering the FIN7-linked DNSMessenger tool was said to have been employed by MuddyWater as well, but there’s no evidence that the latter group ever used the utility, the researchers claim.

Between February and October, the malicious documents associated with the group’s activity had been tailored according to the target regions. They often used the logos of branches of local government in an attempt to trick users into enabling malicious macros.

The delivery method might have changed between attacks, but the final payload remained the same non-public PowerShell backdoor mentioned above. Moreover, the malicious documents used in this campaign shared the same C&C infrastructure and featured similar attributes.

Advertisement. Scroll to continue reading.

“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes. The researchers also published lists of C&C servers, compromised sites, and related files.

Tools used by the group have been well-documented in previous reports, including open-source utilities such as Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more. In some recent attacks, GitHub is used as a hosting site for the POWERSTATS custom backdoor, as the actor controls multiple GitHub repositories, the researchers say.

MuddyWater even compromised accounts at third-party organizations to send their malware. As part of an attack, the malicious document used was nearly identical to a legitimate attachment that the same recipient received later.

“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” the researchers explain.

According to Palo Alto Networks, the reports previously associating this cluster of activity to FIN7 would rather create confusion. The FIN7 group is financially motivated and targets organizations in the restaurant, services and financial sectors, which suggests that the threat actor is unlikely to be tied to espionage-focused attacks in the Middle East.

Malware associated with FIN7 hasn’t been observed in MuddyWater attacks, and the researchers also claim that there might be a mistake in the report linking the attacks to FIN7. However, they also admit that the hackers might have planted a false flag when realizing they were under investigation.

“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers say.

Related: Espionage Attack Uses Scripts for Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.