Pierluigi Paganini February 01, 2022

The Iran-linked MuddyWater APT group is targeting private Turkish organizations and governmental institutions.

Researchers from Cisco Talos have uncovered a cyber espionage campaign carried out by the Iran-linked MuddyWater APT group  (aka SeedWorm and TEMP.Zagros) and targeting private Turkish organizations and governmental institutions.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations. 

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The malware campaign operated by MuddyWater targeting Turkey leverages malicious PDFs and Microsoft Office documents as the initial infection vector. The bait documents are masquerade as legitimate documents from the Turkish Health and Interior Ministries. Upon opening the documents, a malicious PowerShell-based downloader acts as initial footholds into the target’s network.

The PowerShell script downloads and executes the second-stage PowerShell script that resides in the metadata of the weaponized document, which, in turn, downloads a third, unidentified PowerShell code that’s ultimately run on the infected endpoint.

The campaign has been active at least since November 2021, the list of targeted Turkish government entities, includes the Scientific and Technological Research Council of Turkey (TÜBİTAK).

“This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise.” reads the analysis published by Cisco Talos. “MuddyWater’s use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command.”

Talos researchers also noticed a novelty in the TTPs of the APT group that is the use of canary tokens in the macro code to track successful infections, evade sandbox-based detection systems, and detect if the payload servers are being blocked at the other end.

Talos researchers also spotted an alternative variant of the attack that employs PDF documents with embedded links pointing to Windows executables instead of weaponized Excel files.

The researchers attribute the attacks to the MuddyWater APT group based on the observed TTPs and significant overlap of its C2 infrastructure with the one used for the recent attacks against Turkey.

Turkish authorities identified some of the C2 IP addresses that were used in previous attacks associated with the APT.

The researchers discovered at least two different versions of the executable that were used in attacks targeting the telecommunications sector in Armenia (June 2021) and Pakistani (August 2021).

“Talos assesses with high confidence that these campaigns are the work of the Iranian state-sponsored threat actor MuddyWater. This assessment is based on both technical indicators and the tactics, techniques, and procedures (TTPs) employed by the threat actor. The infection chains used in the campaigns illustrated in this research bear a close resemblance to those described in Secureworks’ report from 2020. We also have a high-fidelity IOC from a trusted source that was used in a key part of the infection chains. This IOC has also been used in previous MuddyWater campaigns.” concludes the the analysis. “While we cannot disclose additional details at this time due to intelligence sharing sensitivities, we assess that this particular finding is significant enough to justify a high-confidence assessment on attribution.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MuddyWater APT)

[adrotate banner=”5″]

[adrotate banner=”13″]