Iranian nation-state group known as muddy water The cause of the infection is believed to be a new campaign that leverages compromised email accounts to distribute a backdoor called Phoenix to various organizations in the Middle East and North Africa (MENA) region, including more than 100 government agencies.
Singapore cybersecurity firm Group IB said in a technical report released today that the ultimate goal of the campaign was to penetrate high-value targets and facilitate intelligence gathering.
More than three-quarters of the campaign’s targets include embassies, diplomatic missions, foreign ministries and consulates, followed by international organizations and telecommunications companies.
“Muddywater accessed compromised mailboxes through NordVPN (a legitimate service exploited by threat actors) and used them to send phishing emails disguised as genuine communications,” said security researchers Mahmoud Zoudi and Mansour Alhumud.
“By exploiting the trust and authority associated with such communications, this campaign significantly increased the likelihood of tricking recipients into opening malicious attachments.”
The attack chain essentially involves the attacker distributing a weaponized Microsoft Word document that, when opened, prompts the email recipient to enable macros in order to view the content. When an unsuspecting user enables this feature, the document begins executing malicious Visual Basic for Application (VBA) code, which results in the deployment of version 4 of the Phoenix backdoor.
The backdoor is launched by a loader called FakeUpdate that is decoded and written to disk by a VBA dropper. The loader contains a Phoenix payload encrypted with Advanced Encryption Standard (AES).
MuddyWater, also known as Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly known as Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It is known to have been active since at least 2017.
The threat actor’s use of Phoenix was first documented by Group-IB last month, describing it as a lightweight version of BugSleep, a Python-based implant linked to MuddyWater. Two different variants of Phoenix (version 3 and version 4) have been detected in the wild.
The cybersecurity vendor said it also found that the attacker’s command and control (C2) server (‘159.198.36(.)115’) hosted a remote monitoring and management (RMM) utility and a custom web browser credential stealer targeting Brave, Google Chrome, Microsoft Edge, and Opera, suggesting these may have been used in the operation. It’s worth noting that MuddyWater has a long history of distributing remote access software through phishing campaigns.
“By deploying updated malware variants such as the Phoenix v4 backdoor, FakeUpdate injector, and custom credential theft tools alongside legitimate RMM utilities such as PDQ and Action1, MuddyWater demonstrated an enhanced ability to integrate custom code with commercial tools to improve stealth and persistence,” the researchers said.
