Security Experts:

Connect with us

Hi, what are you looking for?



New Cyberespionage Attacks Linked to MuddyWater Campaign

Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.

Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.

The MuddyWater campaigns were named so because of a high level of confusion they managed to create, thus making it difficult to attribute to a specific actor. Artifacts associated with MuddyWater, however, were used in attacks targeting the Saudi Arabian government, in assaults linked to a single attack framework last year, and in incidents attributed to the hacking group FIN7.

Based on the targeted organizations and the focus on gathering of information and upload it to the command and control (C&C) servers, the actors behind these attacks appear mainly focused on espionage activities, Trend Micro says.

The newly observed attacks feature numerous ties to the previously observed MuddyWater campaigns and also show that “the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,” the security firm notes.

Similarities with earlier MuddyWater campaigns include the focus on targets in the Middle East, the use of documents that try to mimic government organizations, the dropping of a Visual Basic file and a Powershell file (the VBS executes the PS), and the use of hundreds of hacked websites as proxies.

Furthermore, the attacks show similar obfuscation processes and internal variables after deobfuscation, Trend Micro says.

Malicious documents targeting individuals working for government organizations and telecommunication companies in Tajikistan use engineering to trick victims into enabling macros. Some of the payloads were embedded inside the document itself, while others were downloaded from the Internet.

After the macros are enabled, the Visual Basic script and PowerShell script, both obfuscated, are dropped in the ProgramData directory. A scheduled task is created with the path to the VBS script to ensure persistence.

As part of other attacks, the second file dropped is a base64 encoded text file that results in the Powershell file after decoding. Another campaign would drop three files: an .sct scriptlet file, an .inf file, and a base64 encoded data file. The first two use publicly available code to bypass applocker.

The PowerShell script is divided into three parts: one contains global variables (paths, encryption keys, a list of gates and hacked websites used as proxies), the second contains functions related to standard RSA encryption, and the third contains a backdoor function.

The backdoor collects machine information, takes screenshots, and sends all data to the C&C. It also includes support for commands such as clean (attempts to delete all items from drives C, D, E, and F), reboot, shutdown, screenshot, and upload. Communication with the C&C is performed via XML messages.

“It seems that the attackers are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server,” Trend Micro explained.

The security researchers also discovered what appears to be a false flag in the PowerShell script. If the communication with the C&C fails and the PowerShell script is run from a command line, error messages written in simplified Mandarin Chinese are displayed. The messages appear machine-translated rather than written by a native speaker, Trend’s researchers point out.

Related: Middle East
‘MuddyWater’ Attacks Difficult to Clear Up

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.