February 08, 2022

MuddyWater ATP Group

Industry: N/A | Level: Tactical | Source: CiscoTalos

Cisco Talos provided research for the latest threat activity involving the Iranian APT group, MuddyWater that has been attributed to Iran’s Ministry of Intelligence and Security (MOIS). The threat group has been targeting users in Turkey with malicious PDFs, Office documents and Windows executables to establish initial access. With most threat actors, living-off-the-land binaries (LoLBins) are leveraged to evade detection with prominent usage of tools such as VBS scripts and DLLs. Upon execution of the malicious document, persistence is established through the registry key modifications and the group has incorporated canarytokens into its attack scheme. In the VBA code, HTTP requests are made to canarytokens[.]com which provides a notification to the token’s developer when an “object was opened.” The inclusion of the tokens can provide various capabilities to the attack such as the ability to track code execution, anti-analysis method for “timing checks” and “the server that hosts the final payload may only deliver if it first receives two almost simultaneous requests to the token.”

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Wscript/Cscript Execution
    • New AutoRun Registry Key
    • Suspicious Registry Key Created