Rewterz Threat Alert – MuddyWater Targeting Turkish Organizations – Active IOCs

Severity

High

Analysis Summary

APT MuddyWater (aka Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros) – an Iran-based APT – has been operating since at least 2017. This APT group utilizes the common but efficient infection vector, spear-phishing, to perform their tasks. It has mostly targeted countries in the Middle East but also affected countries in Europe and North America. The majority of the group’s victims are in the telecoms, government (IT services), and oil industries. This group’s activity was formerly related to FIN7, however, it is now regarded to be a separate entity driven by espionage. 

MuddyWater’s majority of attacks are based on social engineering. It lures its victims into activating macros so that would infect the targeted workstation. Once macros were turned on, the threat actor’s code would try to download a trojan from an adversarial payload command and control node.

MuddyWater is back at it and is targeting Turkish Organizations and Government entities. The group is leveraging malicious Microsoft Office documents and PDFs to infect victims’ systems in their malware campaign. 

This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise.” reads the analysis published by Security Researchers. “MuddyWater’s use of script based components such as obfuscated PowerShell based downloaders is also a tactic described in the advisory from January 2021 by the U.S. Cyber Command.”

The IP addresses used by the APT group in previous cyberattacks also match the ones in the recent attacks, as identified by the Turkish authorities.

Impact

• Credential Theft
• Exposure of Sensitive Information

Indicators of Compromise

Email

• sisterdoreencongreve@gmail[.]com
• lillianwnwindrope@gmail[.]com
• doctor[.]x[.]2020@gmail[.]com
• ubuntoubunto1398@gmail[.]com
• a[.]sara[.]1995a@gmail[.]com

IP

• 185[.]118[.]167[.]120
• 185[.]118[.]164[.]195
• 185[.]118[.]164[.]213
• 137[.]74[.]131[.]16
• 149[.]202[.]242[.]84
• 5[.]199[.]133[.]149
• 88[.]119[.]170[.]124
• 172[.]245[.]81[.]135
• 185[.]141[.]27[.]211

MD5

• bb8b86b63d34879942e7bab842577122
• da5a9a7ac9902fdd2cd4aab6b5efdf5b
• fbacc4e15a4c17daac06d180c6db370e
• 591c29acd2fe7325ce3180f5ff59409d
• fde7103b0cc0af3186e78cf6635a9308
• c1f4ffc8185463ab9a99b4ed112c89cd
• c24bb0ff542fc3f4ae6bd695287f991f
• 59629ec48fec4c8480a9b09471815ad5
• d5481dbfad620a9787adab7d1d7c07cc
• 366910fc6c707b5a760413dd4ab0c8e9
• c0c2cd5cc018e575816c08b36969c4a6
• 053b483ffc9573cb2c73192b48d0335c
• 43f4c17f0851fc882b6d9fb588d141f2
• 817ab97c5be4f97a3b66d3293e46adc7
• 325493b99c01f442200316332b1d0b4c
• f62497cf8619fe4f75ec333da4d6f756
• f21371716c281e38b31c03f28d9cc7c0
• eacf43ed80a150a6fb87fbeb473f1c25
• 60c3679584d8529b928648fdec187034
• 9c2d256a0238eac3f3d1a65429f64fe2
• bc64955c5c91f6f9f5428f4bf6d8add9

SHA-256

• 42aa5a474abc9efd3289833eab9e72a560fee48765b94b605fac469739a515c1
• d9de66497ad189d785d7535ab263e92ffad81df20b903c5e1d36859b4ed38b6d
• 5cdc7dd6162a8c791d50f5b2c5136d7ba3bf417104e6096bd4a2b76ea499a2f4
• 26ed7e89b3c5058836252e0a8ed9ec6b58f5f82a2e543bc6a97b3fd17ae3e4ec
• a8701fd6a5eb45e044f8bf150793f4189473dde46e0af8314652f6bf670c0a34
• b726f4dd745891070f2e516d5d4e4f2f1ce0bf3ff685dc3800455383f342e54d
• c9931382f844b61a002f83db1ae475953bbab449529be737df1eee8b3065f6eb
• fcdd38ff378605c66333429d9df2242fbce25a5f69f4d6d4c11d9613bcb409b0
• c13cb1c9277324534075f807a3fcd24d0d3c024197c7437bf65db78f6a987f7a
• 450302fb71d8e0e30c80f19cfe7fb7801b223754698cac0997eb3a3c8e440a48
• b1e30cce6df16d83b82b751edca57aa17795d8d0cdd960ecee7d90832b0ee76c
• 921b4520b75fcd0071944a483d738223b222ba101e70f2950fbfbc22afbdb5d0
• d7de68febbbdb72ff820f6554afb464b5c204c434faa6ffe9b4daf6b691d535f
• 7dc49601fa6485c3a2cb1d519794bee004fb7fc0f3b37394a1aef6fceefec0c8
• a69fee382cf86f9e457e0688932cbd00671d0d5218f8043f1ee385278ee19c8c
• 63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf
• f6569039513e261ba9c70640e6eb8f59a0c72471889d3c0eaba51bdebb91d285
• 28f2198f811bbd09be31ad51bac49ba0be5e46ebf5c617c49305bb7e274b198c
• 04d6ed9c6d4a37401ad3c586374f169b0aa8d609710bdcf5434d39e0fd4ed9bd
• 69e3a454c191ee38663112cf5358a54cca1229188087ed18e92bc9c59b014912
• dc28b5e878152b5305b8d251019895caa56a7a95a68eccb89a6ecc41da8aadb9

SHA-1

• a38bf5b383b87b85f798b3feaa152a407f0d54a6
• 164abd948ff4a2ed6d2a848f3b5322795e595995
• 9c483899654caae1ca6a698275535633cd9571be
• f9637e4f055537687e469e41be4f6e3492a4b18f
• efaf653a16673d80ad445d0a3798653cd4e2d001
• 3eb5c7ababb9d791ce738bb878ad0f47939d0c8e
• d80c6f31789eb2b71c7fcb4626eb0fb77ef087df
• ebf083d22fb0cf04cdf0360ac8e892a1df45d1b6
• 488cdd9b4b3660c69b879f7e49ada535a9361af3
• bc3fc89637437aed2223f0a6b4fda73a8afede1a
• 47a4e0d466bb20cec5d354e56a9aa3f07cec816a
• 9190d3c137a0970c064b5c80793624ff36cda876
• 1daeb5f0383ce4c9cce280bf607a17abeaf1ddec
• 9ce6287a4bc8e05b32196769483c98c914cda453
• a7b57d47c1b80c61c61c1bcf9089eed6fdaac756
• 4e8c6cbc7617acaefbd7d29ef67c2cbc4e75d1a6
• be9dbee320d8870b3416e9a348f3f5aa92e1081b
• 51fab90111375f91bc9c5946b443e711453fbba6
• d188cf740d355488b7b8eb0fd896374468500505
• dd38a9048059e4f8c96d03105fedc46af5cb5f66
• b8d980963817731c6a8671dc308a2686f3108fe0

Remediation

• Block all threat indicators at your respective controls.
• Search for ICOs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders