Posted on February 1, 2022 at 7:05 PM
A recent report has revealed that the Turkish government has become the target of state-sponsored actors from Iran. The report noted that the actors are impersonating the Turkish Interior and Health Ministries to plant their malware into their victims’ networks.
Cybersecurity researchers from Cisco Talos revealed this week that an advanced persistent threat (APT) called MuddyWater is responsible for the exploit. The researchers revealed that the ATP group has ties with Iran’s Ministry of Intelligence and Security (MOIS).
MuddyWater, also known as Static Kitten or Mercury, was discovered in 2017 and has been active since then. The Group has also been tied to exploits on organizations in different regions, including in Israel, the Middle East, Europe, and the U.S.
Last month, the U.S. Cyber Command connected the APT to the Iranian government. According to the security unit, the APT group is one of several other Iranian groups carrying out Iranian intelligence activities.
“MuddyWater is a subordinate element within the MOIS, according to the” US Cyber Command.
The MOIS carries out domestic surveillance to identify regime opponents. Additionally, it surveys anti-regime activities in other regions via its network of agents located in Iran’s embassies.
The Latest Campaign Began In November Last Year
Talos researchers, Victor Ventura and Asheer Malhotra, stated that the latest campaign by MuddyWater started in November 2021. It utilizes Microsoft Office documents and PDFs as its initial attack vectors.
Phishing emails that contain malicious attachments are spoofed, appearing to be from the Turkish Interior and Health Ministries. These threat actors have a lot of high valued targets, including the Scientific and Technological Research Council of Turkey (Tubitak).
Additionally, the malware-infected file contains embedded VBA macros that are designed to trigger a PowerShell script. This results in the use of Living Off the Land Binaries (LOLBins), the creation of a registry key for persistence, and the execution of a downloader for executing arbitrary code. Once the codes are planted, they can be used to hijack the network and have control over the machine.
After gaining access to the system, MuddyWater then concentrates on three exploitations – deploying ransomware, stealing intellectual property, and carrying out cyber espionage for state interests. The ransomware is deployed sometimes to destroy any evidence of the group’s operations or destabilize the operations of the victim organization.
But the verification checks on the command and control servers of the operator (C2) means that the researchers weren’t able to secure the final payload in the campaign.
The APT is also monitoring its intrusions by adopting canary tokens. These are digital “canaries” that inform the operator when a user opens a file. They are usually used by security researchers to detect and monitor intrusions but are also useful to threat actors to check successful infections.
The FBI Warns Against Another Iranian-Backed Attack
In another development, the U.S. Federal Bureau of Investigations (FBI) issued a warning against the malicious activities carried out by an Iranian cyber company known as Emennet Pasargad.
The FBI shared the exploit methods of the organization to enable organizations to deal with the threat.
The threat from state actors from Iran has dominated the security discussions of several security researchers and agencies. In November last year, the U.S. Treasury Department sanctioned six Iranian nationals for their role in a malware campaign that tried to obstruct the 2020 general elections.
Emennet Also Targeted Several Sectors In The U.S.
The company is always rebranding and changing its name to stay under the radar while carrying out its exploits. While Emennet continues to threaten the security of foreign organizations, it has remained useful in Iran, providing cybersecurity services within the country, including government agencies.
When the Treasury announced the sanctions, two Emennet employees were charged by the Justice Department for hacking and providing wrong information about the presidential election.
In the FBI’s alert, the agency added that Amennet also carried out ‘traditional cyber exploitation’ which targeted sectors such as petrochemical, telecoms, travel, shipping, and financial sectors. They targeted the Middle East, Europe, and the United States, according to the alert.
The threat actors used different VPNs to hide their location. They also utilized several commercial and open-source tools in the operations, such as Netparker, Wappalyzer, Acunetix, wpscan, and SQLmap.
The hackers also selected their potential victims by looking up major organizations that represent various sectors. After finding the organization, they go into a deep search for vulnerabilities within their servers to gain initial access.