skip to Main Content

How the Iranian APT MuddyWaters works to spy targets in Middle East

Yoroi-Cybaze: Middle East countries have been targeted by the Iranian APT MuddyWaters with a malware campaign to spread the POWERSTATS backdoor

In the last days, some Middle East countries have been targeted by a new wave of cyber attacks related to the Iranian APT state-sponsored group, known as “MuddyWater“. The Yoroi- Cybaze cyber security experts analyzed the file used for a malicious campaign against Lebanon/Oman and unveiled the infection chain. When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the implant. At the same time, it shows a fake error popup saying the Office version is incompatible.  The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. One executed, the malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request. Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The cyber security experts: How the infection chain works

The first MuddyWater campaign was observed bynthe cyber security experts in 2017. More recently, Unit42 researchers reported cyber attacks in the Middle East area. The APT’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware. The malicious code implements more than one persistence mechanism. These are triggered only in the final stage of the infection, once the backdoor is executed. The goals, with high probability are cyber espionage actions against specific targets in the Middle East region. This, maintaining a foothold within their target hosts and exfiltrating data. These cyber attacks, moreover, leverage macro-embedded document as initial vector.

The complete Yoroi-Cybaze analysis of the infection chain

Back To Top