State-sponsored Iranian hacker group MuddyWater has focused greater than 100 authorities entities in assaults that deployed model 4 of the Phoenix backdoor.
The menace actor is often known as Static Kitten, Mercury, and Seedworm, and it usually targets authorities and personal organizations within the Center East area.
Beginning August 19, the hackers launched a phishing marketing campaign from a compromised account that they accessed by the NordVPN service.
The emails have been despatched to quite a few authorities and worldwide organizations within the Center East and North Africa, cybersecurity firm Group-IB says in a report immediately.
In keeping with the researchers, the menace actor took down the server and server-side command-and-control (C2) element on August 24, possible indicating a brand new stage of the assault that relied on different instruments and malware to assemble data from compromised programs.
A lot of the targets of this MuddyWater marketing campaign are embassies, diplomatic missions, overseas affairs ministries, and consulates.
Supply: Group-IB
Again to macro assaults
Group-IB’s analysis revealed that MuddyWater used emails with malicious Phrase paperwork with macro code that decoded and wrote to disk the FakeUpdate malware loader.
The emails connect malicious Phrase paperwork that instruct recipients to “allow content material” on Microsoft Workplace. This motion triggers a VBA macro that writes the ‘FakeUpdate’ malware loader on the disk.
It’s unclear what prompted MuddyWater to ship malware by macro code hidden in Workplace paperwork, because the approach was well-liked a number of years in the past, when macros ran mechanically upon opening a doc.
Since Microsoft disabled macros by default, menace actors moved to different strategies, a more moderen one being ClickFix, additionally utilized by MuddyWater in previous campaigns.
Group-IB researchers say that the loader in MuddyWater’s more moderen assaults decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload.
The malware is written to ‘C:ProgramDatasysprocupdate.exe,’ and establishes persistence by modifying the Home windows Registry entry with configurations for the present consumer, together with the app that ought to run because the shell after logging into the system.
Supply: Group-IB
Phoenix and Chrome stealer
Phoenix backdoor has been documented in previous MuddyWater assaults, and the variant used on this marketing campaign, model 4, contains a further COM-based persistence mechanism and several other practical variations.
Supply: Group-IB
The malware gathers details about the system, like laptop title, area, Home windows model, and username, to profile the sufferer. It connects to its command-and-control (C2) through WinHTTP and begins to beacon and ballot for instructions.
Group-IB has confirmed that the next instructions are supported in Phoenix v4:
- 65 — Sleep
- 68 — Add file
- 85 — Obtain file
- 67 — Begin shell
- 83 — Replace sleep interval time
One other instrument MuddyWater utilized in these assaults is a customized infostealer that makes an attempt to exfiltrate the database from Chrome, Opera, Courageous, and Edge browsers, extract credentials, and snatch the grasp key to decrypt them.
On MuddyWater’s C2 infrastructure the researchers additionally discovered the PDQ utility for software program deployment and administration, and the Action1 RMM (Distant Monitoring and Administration) instrument. PDQ has been utilized in assaults attributed to Iranian hackers.
Group-IB attributes the assaults to MuddyWater with excessive confidence, based mostly on the usage of malware households and macros seen in previous campaigns, the usage of frequent string decoding strategies on new malware much like beforehand used households, and their particular concentrating on patterns.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
