U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

Also tracked as MERCURY, Seedworm, and Static Kitten, MuddyWater was initially detailed in 2017. The threat actor is known for conducting espionage campaigns focused on entities in the Middle East, but has targeted entities in Europe and North America as well.

The hacking group, the military agency notes, employs various open-source tools that allow it to maintain access to compromised networks, and administrators should assume they have been compromised if they identify multiple such tools in their environment.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” CYBERCOM says.

U.S. Cyber Command believes MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of anti-regime activists abroad.

To help network defenders better protect their environments against MuddyWater attacks, CYBERCOM has uploaded 17 malware samples associated with the group’s activities to VirusTotal, including PowGoop samples and variants and a Mori backdoor sample.

First observed in 2020, PowGoop is a downloader that contains a DLL loader, along with a PowerShell-based downloader that decrypts and runs it. The malicious tool was used in attacks against a wide range of entities in the education, government, oil and gas, real estate, telecoms, and technology sectors.

Older than PowGoop and observed in numerous MuddyWater intrusions, the Mori backdoor relies on DNS tunneling for communication with the command and control (C&C) server, and is believed to be employed for espionage purposes.

Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t detected as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Related: U.S. Cyber Command Shares More Russian Malware Samples