Researchers Discover Iranian Hacking Campaign Aimed at Turkish Users

Researchers Discover Iranian Hacking Campaign Aimed at Turkish Users

Short News:- 

An Iranian MuddyWater advanced persistent threat (APT) group has targeted Turkish private organizations and government institutions. TÜBTAK (Türkish Scientific and Technological Research Council) was targeted in the attacks. Attacks believed to have begun as recently as November 2021. Researchers believe MuddyWater may have carried out multiple attacks as part of one continuous campaign. The threat actors are "highly capable and motivated" in their espionage endeavors.

Detailed News:- 

Information has emerged about an Iranian MuddyWater advanced persistent threat (APT) group malware campaign aimed at Turkish private organizations and government institutions that was previously unknown.

"This campaign uses malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura wrote in a newly published report.

The U.S. Cyber Command recently linked the APT to the Iranian Ministry of Intelligence and Security (MOIS).

TÜBTAK (Türkish Scientific and Technological Research Council) was targeted in the attacks, which are believed to have begun as recently as November 2021 and used weaponized Excel and PDF files hosted on websites controlled by hackers or media-sharing websites.

Malicious macros embedded in these documents were used to propagate the infection chain and drop PowerShell scripts to the compromised system, which was then infected with the malicious macros.

Macro code is now being used to track successful infection of targets, thwart analysis and detect whether or not the payload servers are being blocked at the other end by using canary tokens, a new addition to the group's arsenal of tactics, techniques, and procedures (TTPs).

Tokens known as honeytokens or canary tokens are embedded in objects like documents and emails that when opened trigger an alert in the form of an HTTP request, alerting the operator that they have been accessed.

Finally, the infected endpoint is infected with a third, unidentified piece of PowerShell code that is downloaded and executed by PowerShell scripts that reside in the malware's metadata.

Another variation of the attacks observed by Talos involved PDF documents with embedded links pointing to Windows executables instead of Excel files, which then instrumented the infection chain to deploy PowerShell downloaders.

The researchers also found at least two different executables delivered by the adversary targeting Armenian telecommunications in June 2021 and Pakistani entities in August 2021, raising the possibility that MuddyWater may have carried out multiple attacks as part of one long continuous campaign.

An Iranian-based cyber company called Emennet Pasargad was linked to a sophisticated influence campaign orchestrated to disrupt the 2020 presidential election, according to a PIN released by the FBI last week.

Ultimately, the researchers came to the conclusion that these actors were "highly capable and motivated" in their espionage endeavors. When it comes to tracking successful infection of targets, MuddyWater has proven its adaptability and unwillingness to refrain from attacking other nations by using new techniques such as canary tokens."