USCYBERCOM: MuddyWater APT is linked to Iran’s MOIS intelligence
US Cyber Command (USCYBERCOM) has officially linked the Iran-linked MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
USCYBERCOM has officially linked the Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) to Iran’s Ministry of Intelligence and Security (MOIS).
The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations.
The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors
MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.
“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM said.”
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
Collaboration between the #FBI and @CNMF_CyberAlert through the National Cyber Investigative Joint Task Force (NCIJTF) is key to detecting network compromises, mitigating computer intrusions, and preventing malicious Iranian cyber activities. #CyberIsATeamSport https://t.co/Y7QsTgHHZb
— FBI (@FBI) January 12, 2022
US USCYBERCOM uploaded new samples belonging to the group to Virus Total, along with JavaScript files used to establish connections back to attackers’ infrastructure.
The samples include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.
“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. https://twitter.com/CNMF_CyberAlert #MOIS_MuddyWater” states the CYBERCOM Malware Alert.
Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: https://t.co/xTI6xuQOg3. Attributed through @NCIJTF @FBI
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) January 12, 2022
Researchers from SentinelOne analyzed some tools in the arsenal of the group that were also shared by the US USCYBERCOM.
The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools.
The attackers attempt to exploit Exchange servers using two different tools:
- A publicly available script for exploiting CVE-2020-0688 (T1190)
- Ruler – an open source Exchange exploitation framework
“Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques. While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.” reads the analysis published by SentinelOne. “This is observed through the three distinct activities observed and analyzed in this report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of Exchange servers in high-profile organizations.”
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.