Iranian Hackers Are Targeting Turkey And The Arabian Peninsula.

Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries, which we believe are the work of APT groups operating under the MuddyWater umbrella. The United States Cyber Command recently linked MOIS. These campaigns primarily use malicious documents (maldocs) to distribute downloaders and RATs written in a variety of programming languages such as  PowerShell, Visual Basic, and JavaScript.

MuddyWater, an Iranian state-sponsored threat actor, has been linked to a new wave of attacks aimed at Turkey and the Arabian Peninsula, with the goal of deploying remote access trojans (RATs) on compromised systems. MuddyWater is considered to be a “conglomerate of multiple teams operating independently rather than a single threat actor group, making it an umbrella actor similar to Winnti, a China-based advanced persistent threat (APT).

Another new campaign targeting the Arabian Peninsula employs a WSF-based RAT we’ve dubbed “SloughRAT,” which CISA identified as an implant called “canopy”.

• Espionage: Collecting information on adversaries or regional partners that can benefit Iran by helping to advance its political, economic, or national security interests.
• Intellectual property theft: Stealing intellectual property and other proprietary information can benefit Iran in a variety of ways, including helping Iranian businesses against their competitors, influencing economic policy decisions at the state level, or informing government-related research and design efforts, among others. These campaigns target private and government entities, such as universities, think tanks, federal agencies, and various industry verticals.
• Ransomware attacks: MuddyWater has previously attempted to deploy ransomware, such as Thanos, on victim networks to either destroy evidence of their intrusions or disrupt operations.

The hacking team’s most recent campaigns involve the use of malware-laced documents delivered through  phishing messages to deploy a remote access trojan known as SloughRAT (aka Canopy by CISA), which is capable of executing arbitrary code and commands received from its command-and-control (C2) servers.

The adversary set up scheduled tasks to retrieve VBS-based malicious downloaders  which enable the execution of payloads retrieved from a remote server, in a second partial attack sequence observed by Cisco Talos between December 2021 and January 2022. The command’s output is then exfiltrated back to the C2 server.

Finally the researchers concluded that ,” The similarities in the operators’ tactics and techniques have raised the possibility that these attacks are “distinct, yet related, clusters of activity. While they share certain techniques, these campaigns also denote individuality in the way they were carried out, indicating the existence of multiple sub-teams under the Muddywater umbrella”.

Indicator Of Compromise

Maldocs

4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7
6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4
ef385ed64f795e106d17c0a53dfb398f774a555a9e287714d327bf3987364c1b

WSF

d77e268b746cf1547e7ed662598f8515948562e1d188a7f9ddb8e00f4fd94ef0
ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
cc67e663f5f6cea8327e1323ecdb922ae8e48154bbf7bd3f9b2ee2374f61c5d6

VBS

fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f

JS

202bf7a4317326b8d0b39f1fa19304c487128c8bd6e52893a6f06f9640e138e6
3fe9f94c09ee450ab24470a7bcd3d6194d8a375b3383f768662c1d561dab878d
cf9b1e0d17199f783ed2b863b0289e8f209600a37724a386b4482c2001146784

EXEs

a500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1

IPs

185[.]118.164.195
5[.]199[.]133[.]149
88[.]119[.]170[.]124
185[.]183[.]97[.]25
95[.]181.161.81
178[.]32[.]30[.]3

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin