From Shadows to Spotlight: Iran’s MuddyWater Group Strikes Again
MuddyWater, an Iranian state-aligned advanced persistent threat (APT) group, has been actively spying on an unnamed Middle Eastern government for eight months. The group is also known by various other names, such as APT34, Crambus, Helix Kitten, and OilRig.
The campaign initiated on Feb. 1 with an unknown PowerShell script from a suspicious directory.
MuddyWater employed four custom malware tools in its campaign, three of which were unfamiliar to cybersecurity experts. These include:
- Backdoor.Tokel: Downloads files and executes arbitrary PowerShell commands.
- Trojan.Dirps: Used for PowerShell commands and enumerates files in a directory.
- Infostealer.Clipog: Capable of keylogging, logging processes for keystrokes, and copying clipboard data.
- Backdoor.PowerExchange: This PowerShell tool logs into Microsoft Exchange Servers using hardcoded credentials for command-and-control and monitors emails sent by attackers.
In addition to custom tools, MuddyWater also leveraged two popular open-source hacking tools: Mimikatz and Plink.
The group’s success in evading detection for months can be credited to its choice of tools. Introducing new tools and using legitimate ones does not raise immediate suspicions, making detection challenging.