MuddyWater APT

Threat actors from MuddyWater APT groups now add a new set of latest exploits to their hacking arsenal and tactics, techniques and procedures (TTPs) to target government entities and telecommunication sectors.

Iran sponsored MuddyWater group operating by advanced persistent threat actors and this APT group was initially spotted in 2017, they are mainly targeting the middle east and Asia based victims using the variety of malicious components.

In the recent past, researchers from Clear Sky observed that these groups actively targeting the wide range of victims including governmental, military, telecommunication, and academia.

One of the malicious documents that detected with embedded macro drops the payload once the victim opens the files, eventually its exploit the vulnerability CVE-2017-0199, a remote code execution vulnerability that allows attackers to use a flaw that exists within the Windows Object Linking and Embedding (OLE).


Ministry of Intelligence and Security from Iran divided the two branches of hackers team for a different team.

  1. The first team is specialized in hacking the target systems.
  2. Another Team will perform social engineering operation using spearphishing methods.

MuddyWater APT Attack vectors

Based on the recent campaign observation, threat actors attached a malicious file with a spear phishing email that posed as an official document of a UN development plan in Tajikistan.

Once the victims open the file, new VBS files will be created and the file is encoded with multiple VBE, JavaScript, and Base64 layers as same as MuddyWater previous campaign.

The second stage of this malware download from IP address 185.244.149[.]218 then it communicates with several malicious files and drops one of them into victims device.

After victims click the file, an error message will appear, in which, victims required to approve then another error message let victims recover the content of the document.

Meanwhile, malware will try to identify the vulnerability CVE-2017-0199, a Microsoft Office allows remote attackers to execute arbitrary code via a crafted document.

Right after the victim confirms the second error message, the vulnerability will activate, and the Word software will communicate to the C2 server.

According to Clear Sky report, ” The second type of file exploits CVE-2017-0199 vulnerability, but unlike the first file, communication is carried out directly to servers used in previous MuddyWater’s attacks (187.185.25[.]175). We believe that in future attack MuddyWater will adopt vulnerability exploitation as a first stage.”.

The researcher also discovered a RAT file during the command & control server communication and RAT is extracted with a PowerShell script.

This is an initial script which requests the compromised computer to report back to the attacker about processes running on the system. After receiving an indication from the C2 server.

Afterward, it sends dozens of communicates requests to its C2 server in order to receive commands to share the stolen data.

Indicators of Compromise

f5ef4a45e19da1b94c684a6c6d51b86aec622562c45d67cb5aab554f21eb9061 d5b7a5ae4156676b37543a3183df497367429ae2d01ef33ebc357c4bdd9864c3 d77d16c310cce09b872c91ca223b106f4b56572242ff5c4e756572070fac210f 98f0f2c42f703bfbb96de87367866c3cced76d5a8812c4cbc18a2be3da382c95 200c3d027b2d348b0633f8debbbab9f3efc465617727df9e3fdfa6ceac7d191b 951585840a07a6496b0270f1028281fcb65d5b9e9a6ed613ca8809b258ed729f 1dae45ea1f644c0a8e10c962d75fca1cedcfd39a88acef63869b7a5990c1c60b 10157ab25bab7891068538111333a2101b987e930d5deb7bb60ed63cf7ca197d 0a9d295016417b00457d4a031b5c52eea41bcde3465ac517767d8795a6a213eb 20bf83bf516b12d991d38fdc014add8ad5db03907a55303f02d913db261393a9 e2867e2255cad213fcc5752a7062882e92870c57 8d1464e0cac7ea8f37e83fd142212c95db20fe77 4fe389bc1ea85896b4ebb6fe26aa40a6e3f8e9ca 592f0d9d7185eadab0509fdafdc305ab
hXXp://185[.]185[.]25[.]175/sDownloads/ hXXp://185[.]185[.]25[.]175/upl[.]php

Also Read:

MuddyWater APT’s BlackWater Malware Campaign Install Backdoor on Victims PC to Gain Remote Access & Evade Detection

MuddyWater Malware Attack Launch PowerShell Script to Open Backdoor in Windows PC via MS Word Document

Cyber Espionage Campaign Possibly “MuddyWater” Targets the Middle East and Central Asia

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here