Last Updated on 26/02/2022 by Nidhi Khandelwal
Cybersecurity authorities from the United Kingdom and the United States have revealed a new malware used by the Iranian government’s advanced persistent threat (APT) group in assaults against government and business networks around the world.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Center of the United Kingdom have issued a combined advisory (NCSC).
This year, the cyberespionage actor was revealed to be working for Iran’s Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of government and private-sector organizations in Asia, Africa, Europe, and North America, including telecommunications, defense, local government, and the oil and natural gas sectors.
MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros in the larger cybersecurity community, with the organization recognised for cyber offensives in support of MOIS objectives since around 2018.
The gang has previously been seen using open-source tools to acquire access to sensitive data, execute ransomware, and maintain persistence on target networks, in addition to abusing publicly published vulnerabilities.
Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused at Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor.
The latest actions exposed by intelligence agencies are similar in that they use obfuscated PowerShell scripts to hide the most dangerous aspects of the attacks, including as command-and-control (C2) functionalities.