MuddyWater, an Iranian state-sponsored threat actor, has been linked to a new wave of attacks aimed at Turkey and the Arabian Peninsula, with the goal of deploying remote access trojans (RATs) on compromised systems. MuddyWater is considered to be a “conglomerate of multiple teams operating independently rather than a single threat actor group, making it an umbrella actor similar to Winnti, a China-based advanced persistent threat (APT).
Another new campaign targeting the Arabian Peninsula employs a WSF-based RAT we’ve dubbed “SloughRAT,” which CISA identified as an implant called “canopy”.
- Espionage: Collecting information on adversaries or regional partners that can benefit Iran by helping to advance its political, economic, or national security interests.
- Intellectual property theft: Stealing intellectual property and other proprietary information can benefit Iran in a variety of ways, including helping Iranian businesses against their competitors, influencing economic policy decisions at the state level, or informing government-related research and design efforts, among others. These campaigns target private and government entities, such as universities, think tanks, federal agencies, and various industry verticals.
- Ransomware attacks: MuddyWater has previously attempted to deploy ransomware, such as Thanos, on victim networks to either destroy evidence of their intrusions or disrupt operations.
The hacking team’s most recent campaigns involve the use of malware-laced documents delivered through phishing messages to deploy a remote access trojan known as SloughRAT (aka Canopy by CISA), which is capable of executing arbitrary code and commands received from its command-and-control (C2) servers.
The adversary set up scheduled tasks to retrieve VBS-based malicious downloaders which enable the execution of payloads retrieved from a remote server, in a second partial attack sequence observed by Cisco Talos between December 2021 and January 2022. The command’s output is then exfiltrated back to the C2 server.
Finally the researchers concluded that ,” The similarities in the operators’ tactics and techniques have raised the possibility that these attacks are “distinct, yet related, clusters of activity. While they share certain techniques, these campaigns also denote individuality in the way they were carried out, indicating the existence of multiple sub-teams under the Muddywater umbrella”.
Indicator Of Compromise