MuddyWater Now Targets Turkey

A previously undocumented malware campaign undertaken by the Iranian MuddyWater APT group targeting Turkish private organizations and institutions in to limelight now.

This campaign uses malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell downloaders acting as initial intrusion into the victims enterprise.

Advertisements

The intrusions, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBİTAK), using weaponized Excel documents and PDF files hosted on attacker-controlled websites & servers which masqueraded as legitimate documents from the Turkish Health and Interior Ministries, the malicious macros embedded in them were executed to propagate the infection chain and drop PowerShell scripts to the compromised system.

A new addition to the group’s arsenal TTPs is the use of canary tokens in the macro code, a mechanism the researchers suspect is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are being blocked at the other end.

The PowerShell script subsequently downloads and executes the next payload, also a PowerShell script that resides in the metadata of the maldoc, which, in turn, acts as the downloader for a third, unidentified PowerShell code that’s ultimately run on the infected endpoint.

Two variants of the infection chain found, raising the possibility that MuddyWater may have engaged in multiple attacks as part of one long continuous campaign.

With new techniques such as canary tokens used to track successful infection of targets, MuddyWater has proven their adaptability and unwillingness to refrain themselves from attacking other nations.

IPS

137.74.131[.]16
185.118.167[.]120
185.118.164[.]165
185.118.164[.]195
185.118.164[.]213
149.202.242[.]84
5.199.133[.]149
88.119.170[.]124
185.118.164[.]165
7.236.212[.]22
172.245.81[.]135
185.141.27[.]211

URLS

hxxp://185.118.167[.]120/
hxxp://137.74.131[.]16:443/
hxxp://185.141.27[.]211:443/
hxxp://149.202.242[.]84:443/
hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/ef4f0d9af47d737076923cfccfe01ba7/layer.jpg
hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg
hxxps://snapfile[.]org/d/c7817a35554e88572b7b
hxxps://snapfile[.]org/d/0c88a47c3160338bbb68
hxxp://snapfile[.]org/756a12c43a0fb8d56fbf
hxxps://snapfile[.]org/5bc3985cf17565a97dbd
hxxps://snapfile[.]org/55e1c83e920bb7dc949c
hxxp://canarytokens[.]com/about/d3g23n4gdcrep20q3wzm153xn/index.html
hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/
hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp