Full Report
The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Identification:** Iranian nation-state group.
* **Affiliation:** Assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).
* **Known Aliases/Associated Groups:** Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix.
* **Activity Span:** Known to be active since at least 2017.
## Activity Summary
MuddyWater is engaged in a global espionage campaign targeting over 100 organizations, utilizing a compromised email account to distribute the Phoenix backdoor. The immediate goal involves infiltrating high-value targets to facilitate intelligence gathering. The actor has demonstrated enhanced stealth by integrating custom code with commercial tools.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing via compromised email accounts, often abusing legitimate services like NordVPN for access to the mailbox used for sending spam.
* **Execution:** Distribution of weaponized Microsoft Word documents requiring users to enable macros.
* **Payload Deployment:** Execution of malicious Visual Basic for Application (VBA) code upon macro enabling, which deploys a loader called `FakeUpdate`.
* **Persistence/Control:** The `FakeUpdate` loader decodes and writes the Phoenix Version 4 backdoor payload to disk.
* **Tool Integration:** Use of custom malware alongside legitimate Remote Monitoring and Management (RMM) utilities like PDQ and Action1.
* **Lateral Movement/Data Collection:** Usage of a custom web browser credential stealer targeting Brave, Google Chrome, Microsoft Edge, and Opera.
* **Malware Families Used:** Phoenix backdoor (Versions 3 and 4 detected), FakeUpdate loader, custom web browser credential stealer.
## Targeting
* **Sectors:** Government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms.
* **Geography:** Middle East and North Africa (MENA) region (primary focus mentioned for this specific campaign).
* **Victims:** Over 100 government entities, specifically prioritizing diplomatic and governmental infrastructure.
## Tools & Infrastructure
* **Malware Families Used:** Phoenix backdoor (v4), FakeUpdate loader, custom web browser credential stealer.
* **Infrastructure (C2, domains, IPs):** Command-and-control server located at: `159.198.36[.]115`.
* **Abused Services:** NordVPN (used to access compromised mailboxes).
* **Commercial Tools Used:** PDQ, Action1 (RMM utilities).
## Implications
The threat actor demonstrates a high level of operational security and adaptability, evidenced by their use of legitimate cloud services (NordVPN) for initial access and the evolution of their malware (Phoenix v4). The focus on diplomatic organizations suggests a consistent goal of state-sponsored intelligence collection against foreign affairs bodies. The integration of custom backdoors with commercial RMM tools enhances their persistence and evades detection by relying on whitelisted software activity.
## Mitigations
* Strictly limit the enabling of macros in unsolicited or unexpected Microsoft Office documents.
* Monitor network traffic for connections originating from newly deployed malware to known malicious IPs or unusual C2 patterns associated with RMM tools.
* Implement credential hygiene and multi-factor authentication, especially for accounts potentially targeted by credential stealers (Brave, Chrome, Edge, Opera).
* Monitor for the presence of the Phoenix backdoor and the FakeUpdate loader execution flow.
* Review configurations for RMM tools like PDQ and Action1 to ensure legitimacy and control over their deployment.