Search This Blog

Powered by Blogger.

Blog Archive

Labels

Iranian APT MuddyWater Targets Turkish Public and Government Entities

The group also utilizes canary tokens and flags to track successful infection of targets.

 

Cisco Talos discovered a brand new malicious campaign of MuddyWater threat group which is targeting Turkish public and Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. 

According to the technical details, the campaign includes the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", PDFs to serve as the initial infection vector. These PDFs were designed in such a way as to look like legitimate documents sent from the Turkish Health and other officials. 

"This campaign utilizes malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura reported. 

Famous for its attacks in the Middle East region, MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury. The group has been active since at least 2017. However, the group attacked many entities in Central and Southwest Asia, as well as against numerous government and privately-owned organizations from Asia, Europe, and North America. 

Besides, the group also targets telecommunications, cryptocurrency, oil, and airline industries. The cyber research unit has identified that the group uses a typical TTP and there's heavy use of scripting in their infection chains and that they also use languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). 

Additionally, the unit has also discovered the use of flags or tokens in attacks. These flags and tokens are signals for their successful infection mission. Flags and Tokens are hidden inside the malicious files or within the email itself, and it signals the malicious group when the target opens the bait and runs the macro included within it. 

“Canary tokens are tokens that can be embedded in objects like documents, web pages, and emails. When that object is opened, an HTTP request to canarytokens.com is generated, alerting the token’s owner that the object was opened”, researchers added. 

The study said that the Campaigns carried out by the threat group aim to achieve three outcomes: Espionage, Intellectual property theft, and Ransomware attacks.
Share it:

Cyber Attacks

Cyber Threats

MuddyWater

Ransomware

Turkish Government