Threat Intelligence

Middle East, North Africa subjected to MuddyWater cyberespionage campaign

Iran Flag Digital Binary Code Cyberpunk Technology Concept

Organizations in the Middle East and North Africa region, including more than 100 government institutions, have been compromised by Iranian state-backed threat group MuddyWater with the Phoenix backdoor as part of a cyberespionage campaign, reports The Hacker News.

MuddyWater, also known as Mango Sandstorm, Static Kitten, and TA450, exploited NordVPN and a breached email account to distribute phishing emails containing malicious Microsoft Word attachments, according to a Group-IB analysis.

Activating macros to view the attachments' content prompts the execution of an illicit Visual Basic for Application code that writes to disk a FakeUpdate loader, which delivers the Phoenix version 4 backdoor.

Researchers also discovered that MuddyWater had a command-and-control server hosting remote monitoring and management tools, as well as credential-stealing malware aimed at multiple web browsers.

Such findings showed that MuddyWater "demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence," researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds