Pierluigi Paganini January 13, 2022

US Cyber Command (USCYBERCOM) has officially linked the Iran-linked MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

USCYBERCOM has officially linked the Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) to Iran’s Ministry of Intelligence and Security (MOIS).

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations. 

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors

MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM said.”

“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”

US USCYBERCOM uploaded new samples belonging to the group to Virus Total, along with JavaScript files used to establish connections back to attackers’ infrastructure.

The samples include multiple variants of PowGoop loader, JavaScripts deployed using the PowGoop and a Mori backdoor sample.

“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. https://twitter.com/CNMF_CyberAlert #MOIS_MuddyWater” states the CYBERCOM Malware Alert.

Researchers from SentinelOne analyzed some tools in the arsenal of the group that were also shared by the US USCYBERCOM.

The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools.
The attackers attempt to exploit Exchange servers using two different tools:

• A publicly available script for exploiting CVE-2020-0688 (T1190)
• Ruler – an open source Exchange exploitation framework

“Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques. While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.” reads the analysis published by SentinelOne. “This is observed through the three distinct activities observed and analyzed in this report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of Exchange servers in high-profile organizations.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]