Undeterred by the reported dumping of its data online, an Iran-linked hacking group has been using malicious documents and files to target telecommunications organizations and impersonate government entities in Iraq, Pakistan, and Tajikistan, researchers said Thursday.
The so-called MuddyWater group has been carrying out attacks in two stages against the targets, according to research published by Israeli company ClearSky Cyber Security. The first stage uses lure documents to exploit a known vulnerability in Microsoft Office that allows for remote code execution. The second stage lets the attackers communicate with hacked servers to download an infected file.
“This is the first time MuddyWater has used these two vectors in conjunction,” ClearSky said in its research, which warned that just three antivirus engines were detecting the malicious documents analyzed.
In one example, a document disguised as a United Nations development plan for Tajikistan was actually packed with malware. The malware was uploaded to VirusTotal, the malware-analysis platform, from Tajikistan, according to ClearSky.
Ohad Zaidenberg, a senior cyber intelligence analyst at ClearSky, said that, based on the indicators of compromise and methods overlapping with other MuddyWater hacking campaigns, ClearSky had “high confidence” that the group was behind the activity, which dates to April. Zaidenberg said he didn’t know whether MuddyWater was successful in breaching its targets.
MuddyWater, whose activity analysts say aligns with Iran’s interests, has been rampant in the last nine months. From September to December 2018, the group compromised 131 victims in 30 organizations all over the map, from Russia to Saudi Arabia to North America, according to cybersecurity company Symantec.
MuddyWater “definitely seems to have a pretty broad mandate and [have been] active,” Ben Read, senior manager of cyber-espionage analysis at FireEye, told CyberScoop. Compromising telecom companies gives the group access to a swathe of data useful for espionage, he added.
In May, MuddyWater hit a potential snag: someone posted images that were reportedly of the group’s source code and command-and-control servers on Telegram, the encrypted messaging service. But that appears to have had little, if any, effect on the group’s operations.
Andrew Thompson, a researcher at FireEye, reflected on why, despite exposure of their hacking tools, some groups don’t change their methods.
While MuddyWater, which the cybersecurity industry also refers to as Temp.Zagros and SeedWorm, cares about avoiding detection, “they don’t seem to worry about the attacks getting linked” together and attributed by researchers, Read said.
The group likely remains active, said Jonathan Wrolstad, principal cyber intelligence analyst at Symantec, “because they have proven to be an effective intelligence collector for their sponsor.”