'MuddyWater' APT
The 'MuddyWater' APT is a criminal group that seems to be based in Iran. APT stands for “Advanced Persistent Threat”, a term used by PC security researchers to refer to these kinds of criminal groups. Screenshots from malware linked to the 'MuddyWater' APT points to their location being based in Iran, and possibly being sponsored by their government. The 'MuddyWater' APT’s main activities seem pointed towards other countries in the Middle East. The 'MuddyWater' APT attacks have targeted embassies, diplomats, and government officials and may be focused on providing them with a sociopolitical advantage. The 'MuddyWater' APT attacks in the past have also targeted telecommunications companies. The 'MuddyWater' APT also has been associated with false flag attacks. These are attacks that are designed to look as if a different actor has carried them out. The 'MuddyWater' APT false flag attacks in the past have impersonated Israel, China, Russia, and other countries, often in an attempt to cause unrest or conflict between the victim and impersonated party.
Attack Tactics Associated with the 'MuddyWater' APT Group
The attacks associated with the 'MuddyWater' APT include spear phishing emails and the exploitation of zero day vulnerabilities to compromise their victims. The 'MuddyWater' APT is linked at least 30 distinct IP addresses. They also will route their data through more than four thousand compromised servers, where corrupted plugins for WordPress have allowed them to install proxies. To date, at least fifty organizations and more than 1600 individuals have been victims of attacks linked to the 'MuddyWater' APT. The most recen 'MuddyWater' APT attacks are targeting Android device users, delivering malware to victims in an attempt o infiltrate their mobile devices. Due to the high-profile of the targets of this state sponsored group, it is unlikely that most individual computer users will find themselves compromised by a 'MuddyWater' APT attack. However, the measures that can help keep computer users safe from attacks like the 'MuddyWater' APT’s are the same that apply to most malware and criminal groups, including the use of strong security software, installing the latest security patches, and avoiding questionable online content and email attachments.
Android Attacks Linked to the 'MuddyWater' APT
One of the latest attack tools used by the 'MuddyWater' APT is an Android malware threat. PC security researchers have reported three samples of this Android malware, two of which seem to be uncompleted versions that were created in December of 2017. The most recent attack involving the 'MuddyWater' APT was dropped using a compromised website in Turkey. The victims of this 'MuddyWater' APT attack were located in Afghanistan. Like most the 'MuddyWater' APT espionage attacks, the purpose of this infection was to gain access to the victim’s contacts, call history, and text messages, as well as to access GPS information on the infected device. This information can then be used to harm the victim or profit in a wide variety of ways. Other tools associated with the 'MuddyWater' APT attacks include custom backdoor Trojans. Three distinct custom backdoors have been linked to the 'MuddyWater' APT:
1. The first custom backdoor Trojan uses a cloud service for storing all data associated with the 'MuddyWater' APT attack.
2. The second custom backdoor Trojan is based on .NET and runs PowerShell as part of its campaign.
3. The third custom backdoor associated with the 'MuddyWater' APT attack is based on Delphi and is designed to collect the victim’s system information.
Once the victim’s device has been compromised, the 'MuddyWater' APT will use known malware and tools to take over the infected computer and collect the data they need. The criminals that are part of the 'MuddyWater' APT attacks are not infallible. There are instances of sloppy code and leaked data that have allowed them to determine more about the identity of the 'MuddyWater' APT attackers.