MuddyWater Also Embraces Bulletproof Hosts and Custom Malware
An Iranian nation-state hacking team is going back to the future with attacks featuring Microsoft Office documents with malicious macros.
See Also: Fighting Deepfakes: Transformative Approaches to Protect Your Business
MuddyWater attacks typically begin with phishing emails, making it representative of most Tehran threat actors, which rely heavily on social engineering for initial access.
But researchers from Group-IB say the group has made major changes to its other tools, tactics and procedures, including embracing bulletproof hosting providers, shifting to more custom malware for command-and-control purposes. It’s also returned to one of its long-ago primary weapons: Microsoft macros.
U.S. intelligence agencies attributed MuddyWater in 2022 to Iran’s Ministry of Intelligence and Security, the country’s primary intelligence agency and secret police force. Also known as Earth Vetala, Static Kitten and Mango Sandstorm, MuddyWater has been tied to numerous cyberespionage operations as well as the theft of intelligence property since at least 2017.
Malicious macros are practically a hacker cliché. So long have attackers taken advantage of miniature applications powered by Visual Basic for Applications that can run inside Excel spreadsheets and other Office documents. Microsoft long embraced macros as a user feature and they remain a cornerstone of automated data analysis and reporting, even if an unsung one. The computing giant has reluctantly increased safeguards around macro usage, blocking them by default starting in July 2022.
That change did appear to force many hackers into shifting away from malicious macros, Proofpoint reported in May 2023. But the announced death of macro hacking is premature, since users can still blow past security warnings thrown up by Office applications to open and run documents laced with malicious code. A Group-IB recommendation is that companies stop most users from being able run macro apps and only permit macros that carry a digital signature, “if essential.”
Group-IB said samples of MuddyWater malicious documents obtained from VirusTotal feature decoy content and embedded VBA macros designed to install the Phoenix backdoor.
If macros are in again as an initial infection vector for MuddyWaters attacks, on the outs is the group’s long-standing use of remote monitoring and management tools.
Over the past two years, hundreds of MuddyWater attacks involved compromising a target’s email account and registering it with an RMM account, with the volume of such attacks peaking in 2024, Group-IB said.
The move away from using RMM tools is notable. As detailed by 360 Threat Intelligence Center, MuddyWater began using “fully signed” and legitimate RMM tools as part of its attack chain in 2020, often by including links in phishing emails designed to trick victims into downloading and executing RMM installers. Legitimate software tied to such efforts has included Atera, N-Able, Remote Utilities, ScreenConnect, SimpleHelp and Syncro. Such software enables attackers to remotely spy on systems, move laterally inside corporate networks and exfiltrate data.
Beyond using RMM software, “the attackers possess a vast arsenal of other malicious programs, including DarkBeatC2, PhonyC2, MuddyC2Go, PowerStats and MoriAgent,” 360 said at the time, adding that these efforts appeared to be “fueled by significant financial resources.”
The resources lately appear to extend to using other types of legitimate services to support and disguise their efforts. “Infrastructure analysis has revealed active use of Amazon Web Services for hosting malicious assets, and Cloudflare services have been leveraged to hide infrastructure fingerprints and impede analysis,” Group-IB said.
The attackers have been using a vast array of other infrastructure, ranging from commercial providers such as DigitalOcean, M247, OVH and SEDO, to bulletproof hosting providers such as Stark Industries, it said.
Bulletproof hosting refers to infrastructure operators that typically operate in jurisdictions that don’t comply with Western takedown requests, and which don’t ask questions about what their customers are doing, thus offering criminals and nation-state groups alike greater anonymity and resilience (see: US Sanctions Aeza Group for Hosting Infostealers, Ransomware).
These strategies help MuddyWater disguise its operations. “Additionally, in some operations, the group intentionally limits the C2 server’s uptime to a few days,” Group-IB said. “This tactic further conceals their infrastructure and hinders efforts to trace their activities.”
Recent attacks have also involved a variety of more sophisticated malware, including the BugSleep backdoor to facilitate file transfers between infected endpoints and C2 servers, a Phoenix injector for deploying BugSleep, the Fooder malware loader and an advanced backdoor tracked as Stealth Cache.
A Cisco Talos threat assessment from 2022 found the group also regularly deployed ransomware as part of its attacks on victims’ network “to either destroy evidence of their intrusions or disrupt operations.”
Talos said MuddyWater appeared to be “a conglomerate of smaller teams, with each team using different targeting tactics against specific regions of the world,” as well as sharing their tools, tactics and procedures with each other. The groups might also be staffed by contractors who move between different groups as requirements change.
This crossover has led to Iranian APT groups being attributed to different government entities, such as the MOIS and the Islamic Revolutionary Guard Corps, sometimes sharing overlapping TTPs, it said.
The U.S. government in June warned that Iranian cyber actors posed a risk to critical infrastructure following a U.S. attack against Iranian nuclear weapon development sites and a summer outbreak of hostilities between Tehran and Israel.