Monday, February 17, 2025
HomeComputer SecurityCyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

Cyber Espionage Campaign Possibly “MuddyWater” Targets Middle East and Central Asia

Published on

SIEM as a Service

Follow Us on Google News

A new campaign with the similarities of MuddyWater spotted targetting organizations in Pakistan, Turkey, and Tajikistan. Attackers use various social engineering methods to trick the victims into enabling macros and activate payloads.

Security researchers from TrendMicro spotted the campaign says that “we can assume that there is a connection between these new attacks and the MuddyWater campaign”.

With this campaign, the attacker tries to impersonate government organizations of Tajikistan and the campaign uses similar obfuscation method as like MuddyWater.

In some lure documents payloads were directly embedded inside and some documents contain links that download the malicious payload.

Also Read Active Business Phishing Campaign Targeting Fortune 500 Companies to Steal Financial Assets

MuddyWater

One the payload executes it creates two malicious scripts in the ProgramData directory, obfuscated Visual Basic script(VBS_VALYRIA.DOCT) that executes the obfuscated PowerShell script(TROJ_VALYRIA.PS).

The Obfusticated PowerShell divided into three parts

1. Contains encryption keys and few websites that serve as proxies.
2. Second part the standard RSA encryption.
3. Contains the backdoor function. It communicates with the C&C server and can perform following actions such as clean, reboot, shutdown, screenshot, and upload.

The backdoor collects the infected machine information such as the Operating System name, architecture, domain, network adapter configuration, and username. Communication with C&C server done via XML messages.

Researchers said the attackers “are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: “Stop!!! I Kill You, Researcher.”

MuddyWater

How to stay safe – Business Phishing Campaign

1. Have a unique Email address.
2. Do not open any attachments without proper validation.
3. Don’t open emails voluntary emails.
4. Use Spam filters & Antispam gateways.
5. Never respond to any spam emails.
6. verify the vendor.
7. Implement Two-factor Authentication

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...

New XCSSET Malware Targets macOS Users Through Infected Xcode Projects

Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...