Ongoing APT Campaign of MuddyWater Group

Delaware, USA – October 12, 2018 — The Muddywater APT group appeared last year, and the first cyber espionage campaigns they conducted against government organizations of Iraq and Saudi Arabia. Now a number of other countries of the Middle East and Europe are in their field of interest. The group conducts a large number of attacks and actively develops infrastructure and the use of techniques. Muddywater APT works continuously to improve their toolkit and researchers from Kaspersky Lab expects their attacks to intensify shortly.

The group uses social engineering in spear-phishing emails persuading users to enable macro. To prevent antivirus solutions from detecting a malicious macro in a document, it is password-protected. After the user enters the password, the macro drops several files into the attacked system and add the registry entry in the current user’s RUN key to execute malicious payload during the next system boot. Malware can bypass whitelisting solutions since it is run using executables from Microsoft that are very likely whitelisted. It supports a number of commands to take screenshots, receive PowerShell code and execute it via legitimate programs or to destroy disk drives and reboot system.

Since the first attacks, the group has significantly complicated its operations. To protect against Muddywater APT campaigns, you need to monitor the use of Powershell or lock PowerShell execution at all. You can also discover several techniques used by the group with free SIEM rules created by Florian Roth and Michael Haag.
The rule to detect a Windows command line executable started from MSHTA: https://tdm.socprime.com/tdm/info/1120/
The rule to discover a suspicious child process of a Windows shell: https://tdm.socprime.com/tdm/info/1014/