Details about an undocumented campaign of malware by Iran MuddyWater Advanced Persistent Threat (APT), targeting Turkish government institutions, have been revealed.
“This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise,” Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a newly published report.
The development comes as the U.S. Cyber Command, earlier this month, linked the APT to the Iranian Ministry of Intelligence and Security (MOIS).
The intrusions, which are believed to have been orchestrated as recently as November 2021, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TUBITAK), using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites.
These maldocs masqueraded as legitimate documents from the Turkish Health and Interior Ministries, with the attacks starting by executing malicious macros embedded in them to propagate the infection chain and drop PowerShell scripts to the compromised system.
A new addition to the group’s arsenal of tactics, techniques and procedures (TTPs) is the use of canary tokens in the macro code, a mechanism the researchers suspect is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are being blocked at the other end.
Canary tokens, also known as honeytokens, are identifiers embedded in objects like documents, web pages and emails, which, when opened, triggers an alert in the form of an HTTP request, alerting the operator that the object was accessed.
The PowerShell executes the next payload. This PowerShell script is also located in the metadata for the maldoc. It acts as the downer for another unidentified PowerShell program that will be executed on infected ends.
A second variation of attacks was observed by Talos. The PDF documents with embedded hyperlinks pointed to Windows executables rather than Excel files. This instrumented an infection chain that enabled the PowerShell downloadingers to be deployed.
What’s more, the researchers said they found at least two different versions of the executable delivered by the adversary targeting the telecommunications sector in Armenia in June 2021 and Pakistani entities in August 2021, raising the possibility that MuddyWater may have engaged in multiple attacks as part of one long continuous campaign.
The disclosure also follows the release of a Private Industry Notification (PIN) by the U.S. Federal Bureau of Investigation (FBI) last week, detailing the malicious cyber activities of an Iran-based cyber company named Emennet Pasargad, which was tied to a sophisticated influence campaign orchestrated to interfere in the 2020 presidential elections.
” These actors are extremely capable and motivated to carry out their espionage operations,” said the researcher. MuddyWater’s adaptability to attacking other countries has been proven by new methods such as the canary tokens that track infected targets. “