The Iranian state-sponsored hacking group known as MuddyWater is behind a new cyber espionage campaign that has targeted over 100 organizations in the Middle East and North Africa (MENA). This initiative involves exploiting a compromised email account to distribute a backdoor called Phoenix, which aims to infiltrate and gather intelligence from high-value targets, according to a recent report by Group-IB.
The majority of the targeted entities include embassies, diplomatic missions, foreign affairs ministries, and consulates, highlighting the campaign’s focus on international relations and sensitive governmental functions. Additionally, telecommunications firms and other international organizations are also on the list of targets.
Security researchers Mahmoud Zohdy and Mansour Alhmoud of Group-IB noted that MuddyWater accessed a legitimate NordVPN account to send phishing emails that appeared to be authentic, thus taking advantage of the inherent trust users place in such communications. This strategy increased the likelihood of deceiving recipients into opening malicious attachments.
The attack employs weaponized Microsoft Word documents that prompt users to enable macros to view the content. Once this feature is activated, harmful Visual Basic for Applications (VBA) code executes, deploying the Phoenix backdoor. This process involves a loader named FakeUpdate, which decodes and installs the AES-encrypted Phoenix payload onto the target system.
MuddyWater, sometimes referred to by various aliases including Boggy Serpens and Cobalt Ulster, is believed to have links to Iran’s Ministry of Intelligence and Security (MOIS) and has been active since at least 2017. The group recently employed the Phoenix backdoor, a lightweight tool that is a derivative of another implant known as BugSleep.
The cybersecurity company reported that the command-and-control (C2) servers utilized in this campaign also host remote monitoring tools and a bespoke web browser credential stealer targeting browsers such as Brave, Chrome, Edge, and Opera. This diverse toolkit indicates a sophisticated approach to cyber operations, combining custom and commercial tools for stealth and persistence.
The researchers concluded that the sophistication of MuddyWater’s methods—including the deployment of the latest malware variations, credential-stealing utilities, and legitimate remote access tools—demonstrates a significant evolution in their operational capabilities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.