sb-as logo
Story image

'MuddyWater' threat campaign targeting Central Asia & Middle East

15 Mar 2018

A resurgence of last year’s ‘MuddyWater’ threat campaign may be targeting organizations in Pakistan, Turkey and Tajikistan as part of a round of espionage activities

Trend Micro researcher Jaromir Horejsi posted a blog about the attacks this week. In it he claims that the latest campaigns bear similarities to last year’s activities.

In 2017 the MuddyWater campaign used decoy documents such mimicking government organisations including the NSA. The targeted countries included India, Pakistan, Georgia, Iraq, Israel, Saudi Arabia, Turkey, the United Arab Emirates and the United States.

It dropped both Visual Basic files and PowerShell files in order to gain backdoor access to their targets.

This year’s campaign uses decoy documents to mimic government organizations including the Ministry of Internal Affairs of the Republic of Tajikistan. The infection process uses both Visual Basic and PowerShell file droppers; and in both cases hacked websites are used as proxies.

“Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,”Horejsi says.

Trend Micro research found that one of the latest delivery documents uses text and filenames in the Tajik language. This is to target people working for government organizations and telecommunications firms in Tajikistan.

Another document is designed to look like a dissatisfaction form sent to telecommunications companies.

“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked. There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same,” Horejsi explains.

The enclosed backdoor collects the infected machine’s IP address, operating system name, architecture domain, network adapter configuration, and the username.

Attackers may be monitoring infected machines’ incoming connections to their command & control server – evident by personalized messaging in some cases.

“Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing,” Horejsi notes.

“Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.”

Story image
Why organisations should wise up to the DDoS extortion trend
While it is essential to have a DDoS mitigation solution in place, it’s also important to test that it works as expected, writes NCC Group director of technical security consulting for Asia Pacific Tim Dillon.More
Story image
Gigamon and Zscaler release cloud-first network detection for fluid workforces
“Our customers have significantly accelerated their digital transformation journeys during the pandemic, and this integration will help them better respond to threats.”More
Story image
The rising threat of human-controlled ransomware
Until recently, most ransomware attacks have been automated affairs. But things are changing, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
Experiencing ransomware significantly impacts cybersecurity approach
"The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness."More
Story image
Google Cloud observes spike in DDoS volumes in last two years
Google Cloud has seen an ‘exponential’ rise in distributed denial of service (DDoS) attacks over the past decade, but the biggest attacks have only occurred in the past couple of years.More