SecurityBrief Asia logo
Story image

'MuddyWater' threat campaign targeting Central Asia & Middle East

15 Mar 2018

A resurgence of last year’s ‘MuddyWater’ threat campaign may be targeting organizations in Pakistan, Turkey and Tajikistan as part of a round of espionage activities

Trend Micro researcher Jaromir Horejsi posted a blog about the attacks this week. In it he claims that the latest campaigns bear similarities to last year’s activities.

In 2017 the MuddyWater campaign used decoy documents such mimicking government organisations including the NSA. The targeted countries included India, Pakistan, Georgia, Iraq, Israel, Saudi Arabia, Turkey, the United Arab Emirates and the United States.

It dropped both Visual Basic files and PowerShell files in order to gain backdoor access to their targets.

This year’s campaign uses decoy documents to mimic government organizations including the Ministry of Internal Affairs of the Republic of Tajikistan. The infection process uses both Visual Basic and PowerShell file droppers; and in both cases hacked websites are used as proxies.

“Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,”Horejsi says.

Trend Micro research found that one of the latest delivery documents uses text and filenames in the Tajik language. This is to target people working for government organizations and telecommunications firms in Tajikistan.

Another document is designed to look like a dissatisfaction form sent to telecommunications companies.

“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked. There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same,” Horejsi explains.

The enclosed backdoor collects the infected machine’s IP address, operating system name, architecture domain, network adapter configuration, and the username.

Attackers may be monitoring infected machines’ incoming connections to their command & control server – evident by personalized messaging in some cases.

“Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing,” Horejsi notes.

“Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.”

Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
Aruba updates edge security platform with SD-WAN capabilities
Aruba’s latest iteration of its Edge Services Platform (ESP) has been quick to make use of HPE’s acquisition of Silver Peak in September last year.More
Link image
Webinar: Securing privileged access to stop attackers in their tracks
Thycotic's immersive webinar will demonstrate how attackers acquire passwords on endpoints and access critical cloud applications — without being detected.More
Story image
Cohesity appoints its very first CISO
In the newly created role, new appointee Brian Spanswick will focus on advancing and optimising IT and security for Cohesity and its customers, the company says.More
Story image
Egnyte ensures greater security across Microsoft 365 with latest integrations
The new integrations are aimed at helping mid-sized organisations prevent data loss, address a growing number of regional privacy regulations, and simplify the overall management of content with minimal administrative overhead.More