Cybercriminals deployed SloughRAT to attack Turkish and Arabian firms

March 15, 2022
Cybercriminals SloughRAT Cyberattack Turkey Arabia Phishing MuddyWater Threat Group Ransomware

The Arabian Peninsula and Turkey have recently been targeted with SloughRAT attacks on compromised networks allegedly from an Iranian state-sponsored threat group called MuddyWater.

The MuddyWater threat group uses illegal access to conduct ransomware attacks, malware deployment, and intellectual property theft against enterprises. Since its first appearance in 2017, the threat group has been notorious for its attacks against sectors that aid Iran in advancing its national and geopolitical security objectives.

Experts added that the threat group is an organization linked by several teams working independently instead of as a group.


The most recent attack campaign launched by the MuddyWater threat group involves the deployment of the SloughRAT (remote access trojan) on victims’ compromised networks, delivered through phishing messages.


Based on studies, SloughRAT can execute arbitrary code and commands from its C2 servers upon deployment. With the help of a maldoc or an Excel file injected with a malicious macro, an infection chain will begin and will drop two Windows Script Files on the targeted network.

Additionally, two more script-based implants are found by researchers, with one written in Visual Basic and one written in JavaScript. These two implants are created to download and launch malicious commands inside the compromised host.

The recent attacks continue a campaign last November 2021, targeting private entities and government firms from Turkey using a PowerShell-based backdoor to infiltrate sensitive data. Experts believe that these campaigns are distinct yet related to one another, under clusters of activity, since they have leveraged a TTP-sharing paradigm and have coordinated operational teams.

Between December 2021 and January 2022, the threat actors have performed scheduled tasks to recover VBS-based infected downloaders to execute payloads retrieved from a remote server. Afterward, the results are sent back to the C2 server.

Cybersecurity experts concluded that even if the threat group has shared common attack techniques, each deployed campaign also shows differences and individualities with how they are performed. Hence, underneath the MuddyWater threat group’s umbrella reveals separate sub-teams that share similar tactics in executing attacks.

About the author

Leave a Reply