A month after publicly exposing a large suite of tools used by the Iranian government-backed APT team known as MuddyWater, U.S. government security agencies are warning organizations that the group is actively conducting cyber espionage campaigns against critical infrastructure organizations, government agencies, and other targets in North America, Europe, and other regions.
MuddyWater is a group inside the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and techniques in its operations. In January, U.S. Cyber Command published a set of 17 separate samples of malware attributed to MuddyWater, including a PowerShell malware loader called PowGoop. That tool was used in a 2020 attack against some organizations in the Middle East that resulted in ransomware deployments. MuddyWater often uses PowGoop and other malware tools as part of DLL-sideloading operations to insert malware into benign files.
In a joint advisory published Thursday, the FBI, Cyber Command’s Cyber National Mission Force, CISA, and the UK’s National Cyber Security Center warned that MiddyWater is using newer variants of some of these malware tools in its spear phishing campaigns and other operations.
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors."
“As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network. MuddyWater actors also use techniques such as side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide C2 functions,” the advisory says.
“Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence, and exfiltration.”
In some cases, MuddyWater attackers are using a newer version of PowGoop as a loader to install a malicious, signed file that is disguised as a Google Update executable. In other cases, the actors use the Canopy/Starwhale malware.
“In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files,” the advisory says.
MuddyWater actors also have the ability to exploit known vulnerabilities, including the Windows Netlogon bug from 2020 and others. The group has been targeting organizations in the defense, energy, and telecommunications industries, along with government agencies, in regions around the world.
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” the advisory says.