Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months

The Iranian state-aligned advanced persistent threat (APT) known as MuddyWater used an arsenal of new custom malware tools to spy on an unnamed Middle Eastern government for eight months, in just the latest of its many campaigns in the region.

That's according to Symantec, which describes a, at times, daily effort to steal sensitive government data by MuddyWater, which Symantec tracks as "Crambus." The group is also known variously as APT34, Helix Kitten, and OilRig. 

Despite penetrating a dozen computers, deploying half a dozen different hacking tools, and stealing passwords and files, the campaign managed to stay under the radar, lasting from February until September before being disrupted.

"They accessed quite a broad range of computers on the network, so it seems to be a more general attack, rather than going after anything specific," assesses Dick O'Brien, principal intelligence analyst for Symantec.

MuddyWater's Malware Arsenal

MuddyWater's latest campaign began on Feb. 1, when an unknown PowerShell script was executed from a suspicious directory on a targeted machine.

In the months that followed, the group deployed four custom malware tools, three previously unknown to the cybersecurity community.

First there's Backdoor.Tokel, for downloading files and executing arbitrary PowerShell commands. Trojan.Dirps is also used for PowerShell commands, and enumerating files in a directory. Infostealer.Clipog is, as the name would suggest, infostealer malware capable of keylogging, logging processes where keystrokes are entered, and copying clipboard data.

Finally there's Backdoor.PowerExchange, discovered but not specifically attributed to MuddyWater back in May. The PowerShell-based tool logs into Microsoft Exchange Servers with hardcoded credentials, using them for command-and-control (C2), and monitoring for emails sent by the attackers. Mail with "@@" in the subject line conceal instructions for writing and stealing files, or executing arbitrary PowerShell commands.

Alongside its own weaponry, MuddyWater also utilized two popular open source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities.

According to O'Brien, the group's months long staying power can be attributed to its choice of weaponry:

"If you introduce new tools, and if you're using legitimate tools, there are no automatic red flags. [As an analyst] you kind of have to wait until there's a notification of potentially malicious activity, and start pulling the threads from there."

MuddyWater Is Back

MuddyWater has been around since at least 2014, according to Mandiant. A few years back, though, it was written off. "Crambus was one of those groups that we thought might go away because they were heavily exposed in a leak, seemingly by a former contractor or team member," O'Brien points out.

Now, he adds, "they're definitely back."

Over the years, its spying campaigns have spread throughout most of the Middle East – Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, and the United Arab Emirates (as well as the United States) – touching the financial, energy, telecommunications, chemical, government, and critical infrastructure sectors. The APT has been the subject of US sanctions for its cyber espionage activity; and most recently, that activity has included cyberattacks on Saudi Arabia that featured another fresh malware, known as Menorah; and a supply chain attack on the UAE.