Delaware, USA – June 7, 2019 – Iranian APT group conducts cyber espionage campaign targeting organizations in the telecommunication sector and governmental entities in the Middle Eastern and Middle Asian countries. ClearSky researchers observed the latest activity of the MuddyWater group and discovered new tricks used to infect victims. In the arsenal of the group appeared malicious MS Word documents with VBA macros that download Remote Access Trojan disguised as a JPG file. It is noteworthy that for such attacks, adversaries compromise legitimate servers in the country in which their target is located. In addition, the malware used in the attacks was practically undetectable by antivirus solutions. In some cases, the malicious document exploited vulnerability CVE-2017-0199 to infect the system, and a number of decoy documents used both attack vectors to increase the probability of infecting the system.
The group is constantly expanding the used Techniques, Tactics, and Procedures to conduct successful campaigns in the region. In the recent BlackWater campaign, adversaries started using an obfuscated VB macro script and a PowerShell-based trojan. MuddyWater APT belongs to the cyber espionage groups, which usually use social engineering and spear phishing to gain access to victims’ systems, and the appearance of exploits in their arsenal may indicate a further development of this direction. You can study group techniques and tactics, as well as find content for their detection in the MITRE ATT&CK section in Threat Detection Marketplace: https://tdm.socprime.com/att-ck/