Tracking MuddyWater APT's Targeting of the Middle East
Industries: Government, Nuclear | Level: Tactical | Source: Lab52
Lab52 reports of the MuddyWater APT group campaign targeting the Middle East between November 2020 to January 2022, delivering a compressed file containing a malicious Word document to execute VBA macros. The targeting and the objective of the campaign have been identified by Lab52 to be "directed against countries such as Pakistan, Kazakhstan, Armenia, Syria, Israel, Bahrain, Turkey, South Africa, Sudan, etc. Many of these countries may be of interest to the alleged Iranian threat actor, as some of them have been involved in recent internal conflicts, are implicated in nuclear energy improvement, or may serve as strategic footholds for the development and influence of Iranian interests in other parts of the world." The macro writes a VBS script to the C:\ProgramData or the Windows Startup folder. The script calls CMD to initiate discovery to set the country code of the target. The script connects out to the attacker's command and control (C2) server, gathers data from the victim onto a text file, and sends the results to the attacker's C2. The script observed from Lab52 was identified to be incomplete and likely still in development by the attacker.
- MuddyWater APT - Initial Infection with Malicious Document
Anvilogic Use Cases:
- Compressed File Execution
- Wscript/Cscript Execution
- Suspicious Executable by CMD.exe