US Cyber Command Links ‘MuddyWater’ Hacking Group to Iranian Intelligence

Comando cibernético de EE. UU. News

The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater’s ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.

“MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM’s Cyber National Mission Force (CNMF) said in a statement. “These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. “

The hacking effort was described by the agency as an element subordinate to the Iranian Ministry of Intelligence and Security MOIS (MOIS). This confirms earlier reports regarding the provenance of the nation-state actor.

Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, MuddyWater is known for its attacks primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been active at least since 2017.

Recent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as ScreenConnect and Remote Utilities to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.

Last month, Symantec’s Threat Hunter Team publicized findings about a new wave of hacking activities unleashed by the Muddywater group against a string of telecom operators and IT companies throughout the Middle East and Asia during the previous six months using a blend of legitimate tools, publicly available malware, and living-off-the-land (LotL) methods.

Also incorporated into its toolset is a backdoor named Mori and a piece of malware called PowGoop, a DLL loader designed to decrypt and run a PowerShell-based script that establishes network communications with a remote server.

Malware samples attributed to the advanced persistent threat (APT) have been made available on the VirusTotal malware aggregation repository, which can be accessed here.

“Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques,” SentinelOne researcher Amitai Ben Shushan Ehrlich said. The group is still using publicly accessible offensive security tools but has refined its toolset to use new methods to avoid detection. “

Rate author