MuddyWater, an Iranian state-sponsored hacking group, has targeted over 100 Middle Eastern government entities using the Phoenix backdoor and sophisticated malware techniques. Their campaigns involved phishing with malicious macros, info stealers, and evolving malware payloads to gather intelligence from diplomatic missions and government agencies. #MuddyWater #PhoenixBackdoor
Keypoints
- MuddyWater launched a phishing campaign targeting Middle Eastern government organizations starting August 19.
- The threat actors used malicious Word documents with macros to deploy the FakeUpdate malware loader.
- The Phoenix backdoor version 4 features new persistence mechanisms and command support for system profiling and data exfiltration.
- The attack included the use of browser info stealers targeting Chrome, Opera, Brave, and Edge to extract credentials.
- Group-IB links these activities to MuddyWater based on malware similarities, attack patterns, and targeted organizations.