Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

By Asheer Malhotra and Vitor Ventura. Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise. MuddyWater’s use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command. This campaign also utilizes canary tokens to track successful infection of targets, a new addition to this group’s arsenal of tactics, techniques and procedures (TTPs). This specific method of taking advantage of canary tokens in this campaign may also be a measure to evade sandbox based detection systems. A highly motivated threat actor such as MuddyWater can use unauthorized access to conduct espionage, intellectual property theft and deploy ransomware and destructive malware in an enterprise. Executive summary
MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe,

Read More: