Last Updated on 03/02/2022 by Nidhi Khandelwal
Details have emerged concerning a previously unknown malware campaign carried out by the Iranian MuddyWater advanced persistent threat (APT) group, which targeted Turkish commercial companies and government agencies.
According to Cisco Talos researchers Asheer Malhotra and Vitor Ventura, “this campaign uses malicious PDFs, XLS files, and Windows executables to distribute malicious PowerShell-based downloaders that operate as early footholds within the target’s company.”
The news comes after the US Cyber Command tied the APT to the Iranian Ministry of Intelligence and Security earlier this month (MOIS).
The intrusions, which are believed to have occurred as recently as November 2021, were carried out using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBTAK).
The assaults began by executing malicious macros encoded in the maldocs to propagate the infection chain and drop PowerShell scripts on the infected system, posing as official documents from the Turkish Health and Interior Ministries.
The use of canary tokens in macro code is a new addition to the group’s arsenal of tactics, methods, and procedures (TTPs), which experts believe is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are down.
Canary tokens, also known as honeytokens, are identifiers placed in objects such as documents, web pages, and emails that, when viewed, generate an HTTP request informing the operator that the object has been accessed.