Story image

'MuddyWater' threat campaign targeting Central Asia & Middle East

15 Mar 18

A resurgence of last year’s ‘MuddyWater’ threat campaign may be targeting organizations in Pakistan, Turkey and Tajikistan as part of a round of espionage activities

Trend Micro researcher Jaromir Horejsi posted a blog about the attacks this week. In it he claims that the latest campaigns bear similarities to last year’s activities.

In 2017 the MuddyWater campaign used decoy documents such mimicking government organisations including the NSA. The targeted countries included India, Pakistan, Georgia, Iraq, Israel, Saudi Arabia, Turkey, the United Arab Emirates and the United States.

It dropped both Visual Basic files and PowerShell files in order to gain backdoor access to their targets.

This year’s campaign uses decoy documents to mimic government organizations including the Ministry of Internal Affairs of the Republic of Tajikistan. The infection process uses both Visual Basic and PowerShell file droppers; and in both cases hacked websites are used as proxies.

“Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,”Horejsi says.

Trend Micro research found that one of the latest delivery documents uses text and filenames in the Tajik language. This is to target people working for government organizations and telecommunications firms in Tajikistan.

Another document is designed to look like a dissatisfaction form sent to telecommunications companies.

“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked. There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same,” Horejsi explains.

The enclosed backdoor collects the infected machine’s IP address, operating system name, architecture domain, network adapter configuration, and the username.

Attackers may be monitoring infected machines’ incoming connections to their command & control server – evident by personalized messaging in some cases.

“Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing,” Horejsi notes.

“Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.”

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).