Iran’s MuddyWater group is currently targeting numerous countries within West Asia and the Middle East with their new spear-phishing cybercriminal campaign.
Based on reports, the ongoing campaign has attacked countries from the Middle East, such as Jordan, Israel, Iraq, Oman, Tajikistan, Qatar, Armenia, Egypt, Armenia, Azerbaijan, and the UAE.
The group’s operator is a direct subservient element of Iran’s Ministry of Intelligence and security, classifying the entity as an Iranian-sponsored threat group.
The most targeted entities of this state-backed cybercriminal group are the oil, defence, government, and telecommunication sectors.
The MuddyWater group attaches Dropbox links to their phishing baits.
The latest campaign orchestrated by the MuddyWater group is part of their long-operating cybercriminal activity that uses phishing lures. However, the newest development of their campaign includes Dropbox links or file attachments with an embedded URL pointing to a ZIP archive document.
Moreover, the messages from the group are distributed to already infected corporate email accounts, which are sold on underground automated web markets such as Odin, Lufix, Xmina, and Xleet.
The actors were also seen using the Atera Agent despite already utilising harboured legitimate tools like RemoteUtilities and ScreenConnect. Analysts claimed that they have been switching to this tool to retain their low-profile status.
A further study also revealed that the actors are constantly improving the campaign. They also altered their strategies to deliver a remote administration tool called Syncro.
Furthermore, they have a new integrated MSP software that enables them to take over a targeted machine, which could allow them to deploy additional backdoors, conduct retrieval operations, and sell access to other malicious entities.
A researcher explained that a threat group with access to corporate devices through such abilities has unlimited options.
Cybersecurity researchers identified these new tactics from the MuddyWater threat group as they were analysing new malware components from an affiliated threat group from Lebanon.
Finally, the researchers have concluded that the Lebanon-based threat group shares TTPs with the Iranian-sponsored MuddyWater group. Asian and Middle Eastern countries should watch out for phishing attempts from these groups.
