{"id":7498,"date":"2022-03-01T09:53:42","date_gmt":"2022-03-01T17:53:42","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7498"},"modified":"2022-03-01T12:58:18","modified_gmt":"2022-03-01T20:58:18","slug":"joint-cybersecurity-advisory-malicious-activity-attributed-to-iranian-government-sponsored-threat-actor-muddywater","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/joint-cybersecurity-advisory-malicious-activity-attributed-to-iranian-government-sponsored-threat-actor-muddywater\/","title":{"rendered":"Joint Cybersecurity Advisory\u2014Malicious Activity Attributed to Iranian Government-Sponsored Threat Actor MuddyWater"},"content":{"rendered":"

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom\u2019s National Cyber Security Centre (NCSCUK) have called out the MuddyWater threat actors and their involvement in cyber espionage and malicious cyber operations. <\/span>MuddyWater<\/span><\/a> is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. Activity from the MuddyWater group was previously linked to <\/span>FIN7<\/span><\/a>, but the group is believed to be a distinct group, possibly motivated by espionage. Per MITRE ATT&CK, MuddyWater is also known to cyber defenders as Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros. The MuddyWater victims are mainly in the telecommunications, government (IT services), and oil sectors. These malicious activities are happening worldwide and have been observed and documented in Asia, Africa, Europe, and North America.\u00a0<\/span><\/p>\n

In the past, MuddyWater relied heavily on spear phishing. Spear phishing uses email communications which are designed to penetrate and compromise the resources of the targeted individual, business, or government agency. The MuddyWater threat actors would send a carefully targeted email to the target organization. Once the target organization\u2019s networks have been successfully penetrated, then MuddyWater moves to steal legitimate documents from the compromised systems. These legitimate documents are, in turn, weaponized and then used to continue further distribution to other victims to produce a cascade of information compromise.<\/span><\/p>\n

MuddyWater creates socially engineered malicious documents which frequently deliver their \u201cPOWERSTATS\u201d as a first stage backdoor. The POWERSTATS backdoor can receive commands from the attackers and then enable a wide variety of malicious activities.\u00a0 MuddyWater has evolved this attack over the years and moved to also deliver second stage executables which are not written in PowerShell.\u00a0<\/span><\/p>\n

MuddyWater threat actors maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs) which can to trick legitimate programs into running malware, and obfuscating PowerShell scripts to hide command and control (C2) functions.\u00a0<\/span><\/p>\n

The government agencies behind the <\/span>Joint Cybersecurity Advisory<\/span><\/a> have all observed MuddyWater threat actors using various malware variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS as mentioned earlier, along with other tools to support their malicious criminal activity.\u00a0<\/span><\/p>\n

This important <\/span>Joint Cybersecurity Advisory<\/span><\/a> provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. MITRE ATT&CK references are used to help disambiguate the TTPs.<\/span><\/p>\n

The Joint Cybersecurity Advisory recommends mitigations to include:<\/span><\/p>\n