Threat Research

MuddyWater’s “light” first-stager targeting Middle East

Securonix

MuddyWater has maintained a long-term infection campaign targeting Middle East countries since late 2020, with recent samples suggesting it may still be active. The campaign centers on compressed attachments containing Word documents with VBA macros that drop a small RAT via a VBScript and communicate with a remote C2 over HTTP, rotating IPs and collecting host information before exfiltrating results. #MuddyWater #IranianRevolutionaryGuard

Keypoints

  • MuddyWater has run a long-term infection campaign targeting Middle East countries from late 2020 through at least January 2022, with indications it may still be active.
  • The infection chain begins with a compressed file wrapping a malicious Word document that contains VBA macros.
  • The macros drop a small RAT by writing an obfuscated VBScript into a file located in the Windows Startup folder or C:ProgramData, using names like Temp_[3-5 random chars].txt.
  • The dropped script runs a recon stage (whoami) and builds a C2 URI using country codes to tailor the target server (e.g., PK, AR, AM, SY, IL, BH, TR, SA, SD, KK).
  • Communication with the C2 uses HTTP GET to retrieve commands, rotating IPs if there is no reply, then deobfuscating and executing received commands via WScript.Shell calling cmd.
  • Command results are written to a text file and sent back to the C2 with an HTTP POST to getTargetInfo, using a flag value (state) that toggles to indicate success.
  • The macro includes an “alternative functionality” that uses WMI to display system information, and the authors warn the tool could be extended to download/drop the next infection stage.

MITRE Techniques

  • [T1059.005] Visual Basic – Macros in Word deliver and run a small RAT via a VBS drop; “This infection campaign always starts with a compressed file wrapping a malicious Word document containing VBA macros.”
  • [T1547.001] Boot or Logon Autostart Execution – Startup Folder persistence; “write a not-so-much obfuscated VBS script into a file located in C:ProgramData or the Windows Startup folder.”
  • [T1059.003] Windows Command Shell – Command execution via cmd; “to execute commands via cmd.”
  • [T1047] Windows Management Instrumentation – System information display via WMI; “the #1, which will use WMI to display the following information about the infected system.”
  • [T1033] System Owner/User Discovery – Recon using whoami; “a recon function which executes whoami.”
  • [T1071.001] Web Protocols – C2 over HTTP GET/POST; “The connection to the C2 server will use an HTTP GET request …
  • [T1041] Exfiltration Over C2 Channel – Command output sent via POST; “send it to the C2 server” and “The next contact will use the POST HTTP method.”
  • [T1027] Obfuscated/Compressed Files and Information – Deobfuscated/deobfuscation snippets in VBScript; “Code snippet from dropped VB Script (Deobfuscated)”.

Indicators of Compromise

  • [File Name] context – ورشة عمل تدریبیة.zip, Temp_UFNCR335.vbs, Temp_WNJJ6.vbs, Temp_K40.vbs, مشروع.zip, مشروع.doc
  • [File Hash] context – 4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c, ae6dba7da3c8b2787b274c660e0b522ce8ebda89b1864d8a2ac2c9bb2bd4afa6
  • [IP Address] context – 185.117.73.]52, 107.174.68.]60

Read more: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/