"MuddyWater APT Group Is Back With Updated TTPs"

Deep Instinct's Threat Research team discovered a new campaign carried out by the MuddyWater Advanced Persistent Threat (APT) group, also known as SeedWorm, TEMP.Zagros, and Static Kitten. The APT's campaign has targeted Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates. In addition, the campaign has updated tactics, techniques, and procedures (TTPs). The first MuddyWater campaign, which targeted entities in the Middle East, was observed in late 2017. Over time, the group evolved by adding new attack techniques to its arsenal. The APT group has also targeted European and North American countries. The US Cyber Command (USCYBERCOM) officially linked Iran's Ministry of Intelligence and Security (MOIS) to the MuddyWater APT group in January. Deep Instinct observed a campaign that began in September, which differs from previous ones in that it employs a new remote administration tool called "Syncro." MuddyWater is not the only threat actor using Syncro. It has also been used in BatLoader and Luna Moth campaigns. The MuddyWater APT group used an HTML attachment as a lure and used third-party providers to host the archives containing the remote administration tool installers. HTML attachments are typically delivered to recipients and are not blocked by antivirus or email security software. The threat actors were seen in July using the ScreenConnect remote administration tool, which was delivered via an installer called "promotion.msi." The installers used in the current campaign were also given the name "promotion.msi." This article continues to discuss the Iran-linked MuddyWater APT targeting countries in the Middle East as well as Central and West Asia in a new campaign.

Security Affairs reports "MuddyWater APT Group Is Back With Updated TTPs"