
A previously undocumented malware campaign undertaken by the Iranian MuddyWater APT group targeting Turkish private organizations and institutions in to limelight now.
This campaign uses malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell downloaders acting as initial intrusion into the victims enterprise.
The intrusions, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBİTAK), using weaponized Excel documents and PDF files hosted on attacker-controlled websites & servers which masqueraded as legitimate documents from the Turkish Health and Interior Ministries, the malicious macros embedded in them were executed to propagate the infection chain and drop PowerShell scripts to the compromised system.
A new addition to the group’s arsenal TTPs is the use of canary tokens in the macro code, a mechanism the researchers suspect is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are being blocked at the other end.
The PowerShell script subsequently downloads and executes the next payload, also a PowerShell script that resides in the metadata of the maldoc, which, in turn, acts as the downloader for a third, unidentified PowerShell code that’s ultimately run on the infected endpoint.
Two variants of the infection chain found, raising the possibility that MuddyWater may have engaged in multiple attacks as part of one long continuous campaign.
With new techniques such as canary tokens used to track successful infection of targets, MuddyWater has proven their adaptability and unwillingness to refrain themselves from attacking other nations.
Indicators Of Compromise
- 8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001
- 42aa5a474abc9efd3289833eab9e72a560fee48765b94b605fac469739a515c1
- d3ecc4137fc9a6d7418b4780864baf64cf7417d7badf463dff6ea48cd455915b
- 9991b185c9e9732501e0c2bd841e32a4022f0735a0527150bc8e64ac363d409d
- d9de66497ad189d785d7535ab263e92ffad81df20b903c5e1d36859b4ed38b6d
- 5cdc7dd6162a8c791d50f5b2c5136d7ba3bf417104e6096bd4a2b76ea499a2f4
- 26ed7e89b3c5058836252e0a8ed9ec6b58f5f82a2e543bc6a97b3fd17ae3e4ec
- a8701fd6a5eb45e044f8bf150793f4189473dde46e0af8314652f6bf670c0a34
- b726f4dd745891070f2e516d5d4e4f2f1ce0bf3ff685dc3800455383f342e54d
- c9931382f844b61a002f83db1ae475953bbab449529be737df1eee8b3065f6eb
- fcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0
- c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a
- 450302fb71d8e0e30c80f19cfe7fb7801b223754698cac0997eb3a3c8e440a48
- b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
- 921b4520b75fcd0071944a483d738223b222ba101e70f2950fbfbc22afbdb5d0
- d7de68febbbdb72ff820f6554afb464b5c204c434faa6ffe9b4daf6b691d535f
- 8b9be9e4d18c5fc71cd12dbfd60ea41eb88a07497e96faa2ba20fdc929b32c0b
- 7dc49601fa6485c3a2cb1d519794bee004fb7fc0f3b37394a1aef6fceefec0c8
- a69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c
- 63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf
- 6910ddb58aee9a77e7bb9cadef9e6280a9b5b495edf0b6538cf8bdc1db8b1f4c
- d851badfcf3b3a8b4210bdb33948d0d1d918ec6bf0f1f85cbae6bb8feec7cd74
- aa72f1543d4a4e6ecbfc2da0167f5601c5c692bed73243cf01f616bc4af68afe
- 8f255a1f2e17828a5b9205d6991e2c85c3320311da28048785262396cbc568c7
- cddd5514b7ed3d33ff8eaa16b7b71621ced857755246683e0d28c4650ea744bf
- b4d0161ecab5a7847d325c88ce1a4fc2ca2e11fad0b77638b63ae1781c8b5793
- f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285
- 28f2198f811bbd09be31ad51bac49ba0be5e46ebf5c617c49305bb7e274b198c
- 04d6ed9c6d4a37401ad3c586374f169b0aa8d609710bdcf5434d39e0fd4ed9bd
- 69e3a454c191ee38663112cf5358a54cca1229188087ed18e92bc9c59b014912
- dc28b5e878152b5305b8d251019895caa56a7a95a68eccb89a6ecc41da8aadb9
IPS
- 137.74.131[.]16
- 185.118.167[.]120
- 185.118.164[.]165
- 185.118.164[.]195
- 185.118.164[.]213
- 149.202.242[.]84
- 5.199.133[.]149
- 88.119.170[.]124
- 185.118.164[.]165
- 7.236.212[.]22
- 172.245.81[.]135
- 185.141.27[.]211
URLS
- hxxp://185.118.167[.]120/
- hxxp://137.74.131[.]16:443/
- hxxp://185.141.27[.]211:443/
- hxxp://149.202.242[.]84:443/
- hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/ef4f0d9af47d737076923cfccfe01ba7/layer.jpg
- hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg
- hxxps://snapfile[.]org/d/c7817a35554e88572b7b
- hxxps://snapfile[.]org/d/0c88a47c3160338bbb68
- hxxp://snapfile[.]org/756a12c43a0fb8d56fbf
- hxxps://snapfile[.]org/5bc3985cf17565a97dbd
- hxxps://snapfile[.]org/55e1c83e920bb7dc949c
- hxxp://canarytokens[.]com/about/d3g23n4gdcrep20q3wzm153xn/index.html
- hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/
- hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp