MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

Several countries in the Middle East and Central and West Asia have been identified as targets of a new spear-phishing campaign believed to be linked to the Iranian-backed MuddyWater threat actor.

Simon Kenin, a researcher at Deep Instinct, stated in a technical write-up that the campaign was observed targeting the countries of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates.

- CyberInformer_Sticky RightBanner 300x600 high cpm *

They say that MuddyWater, also known as Boggy Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static Kitten, and TEMP.Zagros, is a division of Iran’s Ministry of Intelligence and Security (MOIS).

ALSO, READ Cybersecurity Threat: A Growing Issue In Nigeria – NCC Research

The espionage organization has been active since at least 2017, with most of its attacks aimed at the government, the military, and the oil industry.

The current intrusion set uses Dropbox links or document attachments with an embedded URL to a ZIP archive file as phishing lures, which is consistent with MuddyWater’s standard operating procedure.

MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

To clarify, these emails originate from compromised corporate accounts that can be purchased on the dark web from webmail shops like Xleet, Odin, Xmina, and Lufix for between $8 and $25.

While the archive files have previously harbored installers for legitimate tools like ScreenConnect and RemoteUtilities, the actor was observed switching to Atera Agent in July 2022 in a bid to fly under the radar.

But in a further sign that the campaign is being actively maintained and updated, the attack tactics have been tweaked yet again to deliver a different remote administration tool named Syncro.

The integrated MSP software offers a way to completely control a machine, allowing the adversary to conduct reconnaissance, deploy additional backdoors, and even sell access to other actors.

ALSO, READ Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

“A threat actor that has access to a corporate machine via such capabilities has nearly limitless options,” Kenin noted.

MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

The findings come as Deep Instinct also uncovered new malware components employed by a Lebanon-based group tracked as Polonium in its attacks aimed exclusively at Israeli entities.

“Polonium is coordinating its operations with multiple tracked actor groups affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling,” Microsoft noted in June 2022.