News

APT group MuddyWater expanded its arsenal and uses new attack vectors

The Iranian APT group MuddyWater began using new attack vectors on telecommunications and governmental organizations.

According to the information security company Clearsky Security, MuddyWater has replenished its tactics, techniques and procedures (TTP) with new Microsoft Word documents that download malicious files through compromised servers, as well as documents that exploit CVE-2017-0199.

“The TTP includes decoy documents exploiting CVE-2017-0199 as the first stage of the attack. This is followed by the second stage of the attack – communication with the hacked C2 servers and downloading a file infected with the macros”, — inform in Clearsky Security.

Documents with VBA macros download malware masked as JPG on the attacked computer from a server located in the same country with the victim. This software exploits Microsoft Office/WordPad Remote Code Execution Vulnerability w/ Windows API (CVE-2017-0199) vulnerability and is detected by only three security solutions. For comparison, software used in past attacks was detected by 32 antivirus programs.

After the computer compromised, the malware tries to connect to the C&C server controlled by the attackers and, if it fails, the user redirected on Wikipedia.

Read also: Researchers told about new instruments of MuddyWater cybercriminal group

Band uses two types of malicious documents to exploit the vulnerability mentioned above. The first document uses error messages, and the second exploits the vulnerability immediately after its discovery by the victim.

The first document in turn loads malware of the first and second stage from the C&C server on the attacked system. Some documents use both attack vectors.

Reference:

MuddyWater (aka SeedWorm/Temp.Zagros) is a high-profile Advanced Persistent Threat (APT) actor sponsored by Iran. The group was first observed in 2017, and since has operated multiple global espionage campaigns. With that in mind, their most significant operations mainly focus on Middle Eastern and Middle Asian nations.

The group targets a wide gamut of sectors, including governmental, military, telecommunication, and academia.

Source: https://www.clearskysec.com

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove News-bhexusa.xyz Pop-up Ads

About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…

18 hours ago

Remove News-bhupotu.xyz Pop-up Ads

About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…

18 hours ago

Remove News-bhocime.info Pop-up Ads

About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…

18 hours ago

Remove You-hub.online Pop-up Ads

About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…

18 hours ago

Remove News-bhecudu.live Pop-up Ads

About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…

18 hours ago

Remove News-bhiciwe.today Pop-up Ads

About News-bhiciwe.today News-bhiciwe.today pop-ups can not introduce out of the blue. If you have clicked…

18 hours ago