Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.
Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
The adversary is supplying the Iranian government with both stolen data and access to compromised networks, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), the National Security Agency (NSA), and the UK’s National Cyber Security Centre (NCSC-UK) said in a joint advisory this week.
[READ: U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence]
MuddyWater has been observed conducting cyberespionage operations against organizations in multiple sectors – including government, defense, telecoms, and oil and natural gas – in Asia, Africa, Europe, and North America.
For initial access to victim environments, the APT employs spear-phishing (ZIP archives containing macro-enabled Excel files or PDF documents are served to the victim), it exploits known vulnerabilities, or employs open-source tools, the joint advisory reads.
Once in, the adversary collects sensitive data and deploys ransomware, while also maintaining persistence on the compromised networks. In some attacks, DLL side-loading is employed to load malware into the processes of legitimate programs.
In recent attacks, the threat actor was observed employing variants of malware families such as Canopy, Mori, PowGoop, PowerStats, and Small Sieve, for backdoor access, payload deployment, data theft, and persistence, the FBI, CISA, CNMF, NCSC-UK, and NSA say.
[READ: Iranian Hackers Using New Backdoor Linked to Memento Ransomware]
In January, the U.S. Cyber Command (CYBERCOM) uploaded to VirusTotal several files associated with the MuddyWater operations, including PowGoop samples and a Mori backdoor sample.
The newly published joint advisory provides technical details on PowGoop, which MuddyWater uses as its main loader, as well as detailed information on the capabilities of other malware families and tools that the APT employs in attacks.
It also details a newly identified PowerShell backdoor associated with the threat actor’s activities. Featuring lightweight functionality, the script relies on the InvokeScript method for the execution of adversary-supplied responses, and uses single-byte Exclusive-OR (XOR) for communication encryption.
Organizations of all types and sizes are advised to review the information associated with MuddyWater and ensure they deploy necessary mitigations to keep their networks secure from this and similar threats.
Related: Wiper Used in Attack on Iran National Media Network
Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign
Related: Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies