SYMBOLCOMMON_NAMEaka. SYNONYMS

MuddyWater  (Back to overview)

aka: TEMP.Zagros, Static Kitten, Seedworm, MERCURY, COBALT ULSTER

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Associated Families
apk.mudwater ps1.powerstats win.sharpstats win.moriagent ps1.powgoop win.covicli

References
2020-10-15ClearSkyClearSky
@techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations
PowGoop Covicli
2020-09-04Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
PowGoop Hakbit
2020-07-05paloalto LIVEcommunityMohammed Yasin
@online{yasin:20200705:how:a3796cd, author = {Mohammed Yasin}, title = {{How to stop MortiAgent Malware using the snort rule?}}, date = {2020-07-05}, organization = {paloalto LIVEcommunity}, url = {https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#}, language = {English}, urldate = {2020-08-18} } How to stop MortiAgent Malware using the snort rule?
MoriAgent
2020-06-17Twitter (@Timele9527)Timele12138
@online{timele12138:20200617:moriagent:a4986d2, author = {Timele12138}, title = {{Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)}}, date = {2020-06-17}, organization = {Twitter (@Timele9527)}, url = {https://twitter.com/Timele9527/status/1272776776335233024}, language = {English}, urldate = {2020-06-18} } Tweet on MoriAgent uesd by MuddyWater (incl YARA rule)
MoriAgent
2020-01-15Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20200115:iranian:d37840a, author = {Marco Ramilli}, title = {{Iranian Threat Actors: Preliminary Analysis}}, date = {2020-01-15}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/}, language = {English}, urldate = {2020-01-17} } Iranian Threat Actors: Preliminary Analysis
POWERSTATS
2020-01-07PrevailionDanny Adamitis
@online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } Summer Mirage
POWERSTATS
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20190610:new:4f86b75, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More}}, date = {2019-06-10}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf}, language = {English}, urldate = {2020-01-08} } New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors, New Post-Exploitation Tools, Android Malware, and More
Mudwater SHARPSTATS
2019-06-10Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20190610:muddywater:b87a78a, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools}}, date = {2019-06-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/}, language = {English}, urldate = {2019-11-27} } MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
POWERSTATS
2019-05-20CiscoDanny Adamitis, David Maynor, Kendall McKay
@online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
MuddyWater
2019-05-09ZDNetCatalin Cimpanu
@online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web
MuddyWater
2019-04-15ClearSkyClearSky Research Team
@online{team:20190415:iranian:5a7f4ff, author = {ClearSky Research Team}, title = {{Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey}}, date = {2019-04-15}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/}, language = {English}, urldate = {2020-01-07} } Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
POWERSTATS MuddyWater
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:muddywater:1c29dc0, author = {Cyber Operations Tracker}, title = {{MuddyWater}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/muddywater}, language = {English}, urldate = {2019-12-20} } MuddyWater
MuddyWater
2019MITREMITRE ATT&CK
@online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } Group description: MuddyWater
MuddyWater
2018-12-10SymantecSymantec DeepSight Adversary Intelligence Team
@online{team:20181210:seedworm:d6dba3c, author = {Symantec DeepSight Adversary Intelligence Team}, title = {{Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms}}, date = {2018-12-10}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group}, language = {English}, urldate = {2019-11-17} } Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
MuddyWater
2018-11-28ClearSkyClearSky Research Team
@online{team:20181128:muddywater:89a520f, author = {ClearSky Research Team}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11-28}, organization = {ClearSky}, url = {https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/}, language = {English}, urldate = {2019-07-09} } MuddyWater Operations in Lebanon and Oman
POWERSTATS
2018-11ClearSkyClearSky Cyber Security
@techreport{security:201811:muddywater:d68be0b, author = {ClearSky Cyber Security}, title = {{MuddyWater Operations in Lebanon and Oman}}, date = {2018-11}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf}, language = {English}, urldate = {2020-01-08} } MuddyWater Operations in Lebanon and Oman
MuddyWater
2018-10-10Kaspersky LabsGReAT
@online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } MuddyWater expands operations
MuddyWater
2018-06-14Trend MicroMichael Villanueva, Martin Co
@online{villanueva:20180614:another:80ffc5f, author = {Michael Villanueva and Martin Co}, title = {{Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor}}, date = {2018-06-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/}, language = {English}, urldate = {2020-01-12} } Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor
MuddyWater
2018-03-13FireEyeSudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe, Ben Read
@online{singh:20180313:iranian:3542dc9, author = {Sudeep Singh and Dileep Kumar Jallepalli and Yogesh Londhe and Ben Read}, title = {{Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign}}, date = {2018-03-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
POWERSTATS MuddyWater
2018-03-12Trend MicroJaromír Hořejší
@online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia
POWERSTATS MuddyWater
2017-11-22ReaqtaReaqta
@online{reaqta:20171122:dive:5c67031, author = {Reaqta}, title = {{A dive into MuddyWater APT targeting Middle-East}}, date = {2017-11-22}, organization = {Reaqta}, url = {https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/}, language = {English}, urldate = {2020-01-08} } A dive into MuddyWater APT targeting Middle-East
POWERSTATS
2017-11-14Palo Alto Networks Unit 42Tom Lancaster
@online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } Muddying the Water: Targeted Attacks in the Middle East
POWERSTATS MuddyWater
2017-09-26MalwarebytesMalwarebytes Labs
@online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity
POWERSTATS

Credits: MISP Project