Threat Research

Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

Securonix

Cisco Talos links a campaign targeting Turkish private organizations and government bodies to MuddyWater, an Iran-linked APT group, using malicious PDFs, Excel files and Windows executables to drop PowerShell-based downloaders and establish footholds. The operation expands MuddyWater’s TTPs with canary tokens for infection tracking and sandbox evasion, and leverages scripting, LoLBins and registry-based persistence to enable espionage, IP theft or disruptive actions. hashtags #MuddyWater #MERCURY #StaticKitten #Tubitak # CanaryTokens #PowerShell

Keypoints

  • MuddyWater is attributed with high confidence to Iran’s MOIS, conducting campaigns against entities in the USA, Europe, the Middle East and South Asia, with Turkey as a recent target.
  • The campaign uses malicious PDFs and Excel documents (maldocs) to deliver initial infections, masquerading as legitimate Turkish ministry documents.
  • Infection chains rely on PowerShell-based downloaders and obfuscated scripts, often employing living-off-the-land binaries (LoLBins) to execute payloads.
  • Canary tokens are used to signal successful infections and to complicate sandbox analyses, adding anti-analysis measures to the campaign.
  • Persistence is achieved via Registry Run keys, and in some variants the attackers use LoLBins (including a DLL) to execute scripts across reboots.
  • Two infection chains are observed: maldocs delivering Excel docs/executables and an EXE-based chain that drops a downloader and instrumentor in the user’s directory.
  • Targets include Turkish government entities, notably Tubitak, with historical ties to MuddyWater’s broader espionage and IP-theft objectives.

MITRE Techniques

  • [T1204.002] User Execution – Malicious File – The campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. Quote: “…malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector.”
  • [T1059.001] PowerShell – The PowerShell-based downloader is used to download and execute the next payload on the infected endpoint. Quote: “The PowerShell script deployed in the attack is meant to download and execute the next stage of PowerShell code that is run on the infected endpoint.”
  • [T1059.005] VBScript – VBScript-based intermediate component used to execute the PowerShell payload and maintain persistence. Quote: “The VB script’s persistence is set up by creating a malicious Registry Run for the infected user:”
  • [T1218] Signed Binary Proxy Execution – Use of LoLBins (eg, pcwutl.dll) to execute VBScript, including on reboot or re-login. Quote: “In some instances, the attackers make use of a LoLBin DLL called pcwutl.dll, which is part of the operating system, to execute the VBScript on reboot or re-login.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via registry Run keys as part of the infection chain. Quote: “The infection chain instrumented by the VBA macros consist of creating three key artifacts on the infected endpoint: Registry key for persistence.”
  • [T1036] Masquerading – The maldocs masquerade as legitimate Turkish government documents (e.g., from the Turkish Health and Interior Ministries). Quote: “These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.”
  • [T1071.001] Web Protocols – Initial contact with hosting servers occurs over HTTP. Quote: “their initial payloads usually use PowerShell and Visual Basic scripting along with LoLBins to assist in the initial stages of the infection.”
  • [T1071.004] DNS – DNS is used as part of C2 communications. Quote: “MuddyWater frequently relies on the use of DNS as part of their means to contact the command and control (C2)”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation is used in newer maldocs to hide code blocks. Quote: “obfuscated PowerShell based downloaders”
  • [T1562.001] Impair Defenses – Canary tokens provide anti-analysis and detection-evasion functionality. Quote: “Canary tokens are tokens that can be embedded in objects… When that object is opened, an HTTP request to canarytokens.com is generated.”

Indicators of Compromise

  • [IP] Command and control / delivery – 185.118.167.120, 185.118.164.165
  • [IP] Additional C2 / infrastructure – 137.74.131.16, 172.245.81.135, 185.141.27.211
  • [Domain] Malicious hosting domains – snapfile.org, canarytokens.com
  • [URL] Delivery and C2 endpoints – hxxp://snapfile.org/d/c7817a35554e88572b7b, hxxp://172.245.81.135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg
  • [URL] Canary token pages – hxxp://canarytokens.com/about/d3g23n4gdcrep20q3wzm153xn/index.html
  • [Hash] Sample malware/loader hashes – 8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001, 42aa5a474abc9efd3289833eab9e72a560fee48765b94b605fac469739a515c1, d3ecc4137fc9a6d7418b4780864baf64cf7417d7badf463dff6ea48cd455915b
  • [File name] Executable indicators – Surec_No_cc2021-pdf377811f-66ad-4397-bd35-3247101e2fda-eta332018.exe
  • [URL] Additional observed C2/DNS-related endpoints – hxxp://185.118.167.120/, hxxp://snapfile.org/756a12c43a0fb8d56fbf

Read more: http://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html