Middle East-linked hacking group is working hard to mask its moves

The group bears a resemblance to MuddyWater.
Server blur

A group that’s been linked to Iranian-based hackers has been working to obfuscate its activities to evade detection, according to new research from Cisco’s Talos researchers.

The hackers, whose attacks are ongoing, are working to avoid host-based signatures and Yara signatures by using a Visual Basic for Applications (VBA) script, PowerShell stager attacks, and a separate command and control server, researchers write in a blog post. In some cases the group, which Talos has dubbed “BlackWater,” has been successful in avoiding detection mechanisms.

Some of the code the group has used in its attacks is the same as that used by a group known as MuddyWater. Talos writes the code was used in attacks against Kurds in Turkey.

This code overlap and the fact that BlackWater and MuddyWater have had similar targets, including those in Turkey, lead Talos researchers to report they have “moderate confidence” that the actors behind BlackWater and Iranian-linked MuddyWater are related.


Jonathan Wrolstad, principal cyber intelligence analyst at Symantec, said he believes this activity is related to MuddyWater, as well.

“Within this set of activity, Symantec identified PowerShell commands and malware tools, such as a tool for stealing browser credentials, that have been used in the past by the MuddyWater group,” Wrolstad told CyberScoop.

Ben Read, a senior manager of cyber-espionage analysis at FireEye, tells CyberScoop that the company is not at the point of directly linking these two groups yet.

“We haven’t linked it to the broader MuddyWater stuff because it does look a little bit different,” Read said. “There’s some overlaps, but not enough for us to say they’re definitely the same group.”

In addition to tracking some of this new activity, FireEye has seen MuddyWater expand its targets, Read tells CyberScoop. While the group, which FireEye calls Zagros, has traditionally targeted Asian countries, the group expanded their targets to oil companies based in Latin America.


“We continue to see traditional MuddyWater and traditional Zagros [activity] ongoing recently as well,” he said. “There’s been a bit of a broadening.”

Based on a sample obtained in April, some of the obfuscating tactics that Talos found include trying to obtain remote access to victims’ machines by installing PowerShell backdoors, a technique that exploits existing management tools on computers. The group is also using an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key.

The PowerShell stager then communicates with an actor-controlled server to use part of a post-exploitation open source framework on GitHub, known as FruityC2, to gain visibility into how their attack is propagating throughout the victims’ machines.

Talos researchers assess that based on how the VBA functions, the group is likely trying to make the backdoors look like red-teaming attempts.

Talos researchers assess that the way the group has been using the FruityC2 script could allow the attackers to see whether someone is investigating their activity. In the past, MuddyWater has threatened security researchers’ lives when they came across the threat group’s command and control server, according to research from TrendMicro.


MuddyWater has worked to conceal its identity before — for instance, the group has used lines of code, “false flags,” borrowed from tools that are typically linked with another country, such as China, for example, and has attempted to imitate Kaspersky Lab in some of its correspondence.

Wrolstad told CyberScoop the methods Talos identifies in its blog post may not be an increase in MuddyWater’s efforts to disguise, but par for the course.

“They work hard to develop new malware tools and evade detection and continue to evolve their operations quickly,” Wrolstad said. “It’s therefore hard to quantify, as obfuscation and change in techniques is standard practice for the group. Their efforts to evolve and evade detection started fast and remain fast.”

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts