MuddyWater, also known as Seedworm, is an Iranian cyberespionage threat actor that primarily targets the UAE, Saudi Arabia, Israel, Iraq, and other Middle Eastern nations, as well as some European and North American countries. Active since 2017, the APT actor has evolved throughout the years by adding new TTPs to its arsenal. While all these years, attribution was tough, the USCYBERCOM has finally attributed the group to an Iranian intelligence agency.
Diving into the details
MuddyWater has been linked to Iran's Ministry of Intelligence and Security (MOIS). MOIS is the Iranian government’s leading intelligence agency dealing with clandestine actions bolstering the Islamic regime’s aims beyond the borders. MuddyWater is a subordinate entity within MOIS.
Malware used by MuddyWater
The group uses open-source code for malware. USCYBERCOM’s Cyber National Mission Force, in collaboration with the FBI, released several malware samples used by the hacking group. The samples contain various strains of PowGoop - a DLL loader that decrypts and runs a PowerShell-based malware downloader, and the Mori backdoor that uses DNS tunneling. Apart from MuddyWater, other MOIS APTs use DNS tunneling to communicate with the C2 server.
USCYBERCOM has warned that if anyone observes a combination of the above tools, they should check for MuddyWater infection in the network.
The group leverages a variety of techniques to maintain access to victim networks. These include side-loading DLLs that trick authentic programs into running malware and obfuscating PowerShell scripts to hide C2 functions.
The bottom line
MuddyWater is refining its tactics and techniques to evade detection. Moreover, being a state-sponsored group, MuddyWater can apply exceptional resources to attack specific targets. Compared to other state-sponsored groups, it is not as sophisticated but it makes up for it through its persistence and constant evolution.