Story image

'MuddyWater' threat campaign targeting Central Asia & Middle East

15 Mar 18

A resurgence of last year’s ‘MuddyWater’ threat campaign may be targeting organizations in Pakistan, Turkey and Tajikistan as part of a round of espionage activities

Trend Micro researcher Jaromir Horejsi posted a blog about the attacks this week. In it he claims that the latest campaigns bear similarities to last year’s activities.

In 2017 the MuddyWater campaign used decoy documents such mimicking government organisations including the NSA. The targeted countries included India, Pakistan, Georgia, Iraq, Israel, Saudi Arabia, Turkey, the United Arab Emirates and the United States.

It dropped both Visual Basic files and PowerShell files in order to gain backdoor access to their targets.

This year’s campaign uses decoy documents to mimic government organizations including the Ministry of Internal Affairs of the Republic of Tajikistan. The infection process uses both Visual Basic and PowerShell file droppers; and in both cases hacked websites are used as proxies.

“Given the number of similarities, we can assume that there is a connection between these new attacks and the MuddyWater campaign. It also signifies that the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,”Horejsi says.

Trend Micro research found that one of the latest delivery documents uses text and filenames in the Tajik language. This is to target people working for government organizations and telecommunications firms in Tajikistan.

Another document is designed to look like a dissatisfaction form sent to telecommunications companies.

“Each document uses social engineering to trick potential victims into clicking it to enable the macros and activate the payload. While some of the payloads we observed were embedded inside the document itself, some of the payloads were also downloaded from the internet after the lure was clicked. There is a separate lure with a program key generator written in Java that was bundled with a Java downloader. However, the actual payload is the same,” Horejsi explains.

The enclosed backdoor collects the infected machine’s IP address, operating system name, architecture domain, network adapter configuration, and the username.

Attackers may be monitoring infected machines’ incoming connections to their command & control server – evident by personalized messaging in some cases.

“Users unfamiliar with the various kinds of social engineering techniques might find it difficult to distinguish a legitimate message from a malicious one – thus the need for education on identifying and mitigating phishing attacks – especially if it involves organizations in sensitive industries such as government and manufacturing,” Horejsi notes.

“Context, in this case, is important. Users need to consider why they received an email and avoid clicking on any links or attachments in general until they are certain that they are legitimate.”

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.