Cybersecurity researchers at Cisco Talos identified a campaign conducted by advanced persistent threat group MuddyWater targeting high-profile entities in Turkey. MuddyWater is a state-sponsored Iranian hacking group that has been linked to campaigns in the Middle East, Israel, the US, and Europe in the past. The group has ties to Iran’s Ministry of Intelligence and Security. The US Cyber Command made the link between MuddyWater and the Iranian government earlier this year, confirming that the APT is one of many groups conducting intelligence activities for Iran.
Cisco Talos researchers stated that the latest MuddyWater campaign is utilizing malicious PDFs and Microsoft Office documents as an initial attack vector. Phishing emails containing the malicious documents appear to be from the Turkish Health and Interior Ministries. Targets include organizations such as the Scientific and Technological Research Council of Turkey. The malicious documents contained embedded VBA macros that trigger a PowerShell script, resulting in the execution of a downloader that can execute arbitrary code, the creation of a registry key, and the use of Living Off the Land Binaries (LOLBins) to hijack the machine. Once the initial attack has been successful, MuddyWater conducts cyberespionage for state interests.
Read More: State-sponsored Iranian hackers attack Turkish government, private organizations