HomeUpdateShocking New facts about the APT group has come to light

Shocking New facts about the APT group has come to light

-

Last Updated on 03/02/2022 by Nidhi Khandelwal

Details have emerged concerning a previously unknown malware campaign carried out by the Iranian MuddyWater advanced persistent threat (APT) group, which targeted Turkish commercial companies and government agencies.

Shocking New facts about the APT group has come to light 1

According to Cisco Talos researchers Asheer Malhotra and Vitor Ventura, “this campaign uses malicious PDFs, XLS files, and Windows executables to distribute malicious PowerShell-based downloaders that operate as early footholds within the target’s company.”

The news comes after the US Cyber Command tied the APT to the Iranian Ministry of Intelligence and Security earlier this month (MOIS).

The intrusions, which are believed to have occurred as recently as November 2021, were carried out using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBTAK).

The assaults began by executing malicious macros encoded in the maldocs to propagate the infection chain and drop PowerShell scripts on the infected system, posing as official documents from the Turkish Health and Interior Ministries.

Shocking New facts about the APT group has come to light 2

The use of canary tokens in macro code is a new addition to the group’s arsenal of tactics, methods, and procedures (TTPs), which experts believe is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are down.

Canary tokens, also known as honeytokens, are identifiers placed in objects such as documents, web pages, and emails that, when viewed, generate an HTTP request informing the operator that the object has been accessed.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

This is how Russia is being punished for the war

0
The developer of the popular "node-ipc" NPM package published a new modified version to denounce Russia's invasion of Ukraine, sparking concerns about open-source and...