ATK51

Presumed Origin: Iran < Back

Alias: MERCURY, MobhaM, MuddyWater, NTSTATS, POWERSTATS, Seedworm, Static Kitten, TEMP.Zagros

ATK51 (aka: MuddyWater) is an Iranian threat group. Attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

REFERENCES

- 16/03/2017, Morphisec, Morphisec Discovers New Fileless Attack Framework
- 26/09/2017, Malwarebytes, Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity
- 04/10/2017, Security 0wnage, Continued Activity targeting the Middle East
- 14/11/2017, PaloAlto, Muddying the Water: Targeted Attacks in the Middle East
- 12/03/2018, TrendMicro, Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
- 13/03/2018, FireEye, Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
- 08/05/2018, Security 0wnage, Clearing the MuddyWater - Analysis of new MuddyWater Samples
- 14/06/2018, TrendMicro, Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor
- 10/10/2018, Kaspersky, MuddyWater expands operations
- 28/11/2018, ClearSky, MuddyWater Operations in Lebanon and Oman
- 30/11/2018, TrendMicro, New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools
- 07/12/2018, Yoroi, Dissecting the MuddyWater Infection Chain
- 10/12/2018, Symantec, Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
- 21/03/2019, 360.net, Suspected MuddyWater APT organization's latest attack activity analysis against Iraqi mobile operator Korek Telecom
- 10/04/2019, CheckPoint, The Muddy Waters of APT Attacks
- 15/04/2019, ClearSky, Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
- 20/05/2019, Talos, Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
- 10/06/2019, TrendMicro, New MuddyWater Activities Uncovered
- 25/06/2019, 360.net, Analysis of MuddyC3, a New Weapon Used by MuddyWater
- 28/02/2020, GBHackers on Security, https://gbhackers.com/forelord-malware/
- 21/10/2020, Symantec, Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

Target sector

Defense
Education
Energy
Financial Services
Government and administration agencies
Healthcare
High-Tech
International Organizations
Media

Target countries

Austria
Azerbaijan
Bahrain
Georgia
Russian Federation
Pakistan
Israel
Jordan
Iraq
Iran, Islamic Republic Of
India
Mali
Saudi Arabia
Turkey
United Arab Emirates
United States Of America

Attack pattern

T1002 - Data Compressed
T1003 - Credential Dumping
T1016 - System Network Configuration Discovery
T1027 - Obfuscated Files or Information
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1047 - Windows Management Instrumentation
T1057 - Process Discovery
T1059 - Command-Line Interface
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1064 - Scripting
T1081 - Credentials in Files
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1085 - Rundll32
T1086 - PowerShell
T1088 - Bypass User Account Control
T1090 - Connection Proxy
T1104 - Multi-Stage Channels
T1105 - Remote File Copy
T1113 - Screen Capture
T1140 - Deobfuscate/Decode Files or Information
T1170 - Mshta
T1173 - Dynamic Data Exchange
T1175 - Distributed Component Object Model
T1191 - CMSTP
T1193 - Spearphishing Attachment
T1204 - User Execution
T1500 - Compile After Delivery

Motivation

Espionage

Malwares

Mori
MuddyC3
POWERSTATS
PowGoop

Vulnerabilities

CVE-2020-1472