The Iranian state-sponsored cyber espionage group known as MuddyWater has initiated a sophisticated campaign targeting more than 100 organizations across the Middle East and North Africa (MENA) region. This operation primarily focuses on government entities, including embassies, diplomatic missions, foreign affairs ministries, and consulates, as well as international organizations and telecommunications firms.
Campaign Overview
MuddyWater, also referred to by aliases such as Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017, the group has a history of conducting cyber espionage operations targeting various sectors.
In this latest campaign, MuddyWater exploited a compromised email account to distribute a backdoor known as Phoenix. By accessing the compromised mailbox through NordVPN—a legitimate service misused by the threat actor—the group sent phishing emails that appeared to be authentic correspondence. This tactic significantly increased the likelihood of deceiving recipients into opening malicious attachments.
Attack Methodology
The attack chain involves the distribution of weaponized Microsoft Word documents. When opened, these documents prompt recipients to enable macros to view the content. Once macros are enabled, the document executes malicious Visual Basic for Application (VBA) code, leading to the deployment of version 4 of the Phoenix backdoor.
The Phoenix backdoor is launched via a loader called FakeUpdate, which is decoded and written to disk by the VBA dropper. The loader contains the Advanced Encryption Standard (AES)-encrypted Phoenix payload. This backdoor offers capabilities such as gathering system information, establishing persistence, launching an interactive shell, and uploading or downloading files.
Command-and-Control Infrastructure
The attacker’s command-and-control (C2) server, identified as 159.198.36[.]115, has been found hosting remote monitoring and management (RMM) utilities and a custom web browser credential stealer targeting browsers like Brave, Google Chrome, Microsoft Edge, and Opera. This suggests the likely use of these tools in the operation. MuddyWater has a history of distributing remote access software via phishing campaigns over the years.
Evolution of Tactics
By deploying updated malware variants such as the Phoenix v4 backdoor, the FakeUpdate injector, and custom credential-stealing tools alongside legitimate RMM utilities like PDQ and Action1, MuddyWater has demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence.
Historical Context
MuddyWater’s use of Phoenix was first documented by Group-IB, describing it as a lightweight version of BugSleep, a Python-based implant linked to the group. Two different variants of Phoenix (Version 3 and Version 4) have been detected in the wild, offering capabilities to gather system information, establish persistence, launch an interactive shell, and upload or download files.
In previous campaigns, MuddyWater has been observed using various remote administration tools and command-and-control frameworks. For instance, the group has utilized tools like Atera, N-able’s Advanced Monitoring Agent, and SimpleHelp in their operations. They have also developed custom C2 frameworks such as MuddyC2Go and DarkBeatC2 to enhance their operational capabilities.
Implications and Recommendations
The sophistication and scale of MuddyWater’s latest campaign underscore the persistent threat posed by state-sponsored cyber espionage groups. Organizations, especially those in the MENA region, should remain vigilant and implement robust cybersecurity measures to defend against such threats.
