Organizations in the Middle East and North Africa region, including more than 100 government institutions, have been compromised by Iranian state-backed threat group MuddyWater with the Phoenix backdoor as part of a cyberespionage campaign, reports The Hacker News.
MuddyWater, also known as Mango Sandstorm, Static Kitten, and TA450, exploited NordVPN and a breached email account to distribute phishing emails containing malicious Microsoft Word attachments, according to a Group-IB analysis.
Activating macros to view the attachments' content prompts the execution of an illicit Visual Basic for Application code that writes to disk a FakeUpdate loader, which delivers the Phoenix version 4 backdoor.
Researchers also discovered that MuddyWater had a command-and-control server hosting remote monitoring and management tools, as well as credential-stealing malware aimed at multiple web browsers.
Such findings showed that MuddyWater "demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence," researchers added.
MuddyWater, also known as Mango Sandstorm, Static Kitten, and TA450, exploited NordVPN and a breached email account to distribute phishing emails containing malicious Microsoft Word attachments, according to a Group-IB analysis.
Activating macros to view the attachments' content prompts the execution of an illicit Visual Basic for Application code that writes to disk a FakeUpdate loader, which delivers the Phoenix version 4 backdoor.
Researchers also discovered that MuddyWater had a command-and-control server hosting remote monitoring and management tools, as well as credential-stealing malware aimed at multiple web browsers.
Such findings showed that MuddyWater "demonstrated an enhanced ability to integrate custom code with commercial tools for improved stealth and persistence," researchers added.




