Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Turkish Government. Show all posts
Turkish Government
Cyber Attacks Cyber Threats MuddyWater Ransomware Turkish Government

Iranian APT MuddyWater Targets Turkish Public and Government Entities

 

Cisco Talos discovered a brand new malicious campaign of MuddyWater threat group which is targeting Turkish public and Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. 

According to the technical details, the campaign includes the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", PDFs to serve as the initial infection vector. These PDFs were designed in such a way as to look like legitimate documents sent from the Turkish Health and other officials. 

"This campaign utilizes malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura reported. 

Famous for its attacks in the Middle East region, MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury. The group has been active since at least 2017. However, the group attacked many entities in Central and Southwest Asia, as well as against numerous government and privately-owned organizations from Asia, Europe, and North America. 

Besides, the group also targets telecommunications, cryptocurrency, oil, and airline industries. The cyber research unit has identified that the group uses a typical TTP and there's heavy use of scripting in their infection chains and that they also use languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). 

Additionally, the unit has also discovered the use of flags or tokens in attacks. These flags and tokens are signals for their successful infection mission. Flags and Tokens are hidden inside the malicious files or within the email itself, and it signals the malicious group when the target opens the bait and runs the macro included within it. 

“Canary tokens are tokens that can be embedded in objects like documents, web pages, and emails. When that object is opened, an HTTP request to canarytokens.com is generated, alerting the token’s owner that the object was opened”, researchers added. 

The study said that the Campaigns carried out by the threat group aim to achieve three outcomes: Espionage, Intellectual property theft, and Ransomware attacks.
Read more »
Subscribe to: Posts (Atom)