United States Cyber Command said on Wednesday that the hacking group known as MuddyWater is linked to Iranian intelligence.
“MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations,” Cyber Command said in a notice.
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).”
On Twitter, Cyber Command said MuddyWater was using a suite of malware for espionage and malicious activity, with attribution provided by the FBI National Cyber Investigative Joint Task Force.
“MOIS hacker group MuddyWater is using open-source code for malware,” it said.
“MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic.”
Alongside its notice, MuddyWater malware samples were uploaded to VirusTotal, including the PowGoop DDL sideloader, and Mori backdoor that uses DNS tunneling.
“Goopdate.dll uses DLL side-loading to run when a the non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt,” Cyber Command said as it detailed one instance of how PowGoop