Select Page

Details have emerged about a previously undocumented malware campaign undertaken by the Iranian MuddyWater advanced persistent threat (APT) group targeting Turkish private organizations and governmental institutions.

“This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise,” Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a newly published report.

The development comes as the U.S. Cyber Command, earlier this month, linked the APT to the Iranian Ministry of Intelligence and Security (MOIS).

The intrusions, which are believed to have been orchestrated as recently as November 2021, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBİTAK), using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites.

These maldocs masqueraded as legitimate documents from the Turkish Health and Interior Ministries, with the attacks starting by executing malicious macros embedded in them to propagate the infection chain and drop PowerShell scripts to the compromised system.

A new addition to the group’s arsenal of tactics, techniques and procedures (TTPs) is the use of canary tokens in the macro code, a mechanism the researchers suspect is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are being blocked at the other end.

images from Hacker News