#1254713: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey

Description: n our ongoing investigations of Iranian APTs, we recently detected additional documents related to previously attack infrastructures used by the Iranian APT – “MuddyWater”, which we reported on in late November 2018.

As a reminder, we identified two domains, that were hacked by the group and used to host the code of POWERSTATS; a malware associated to the group. For additional information on the attack see item – “MuddyWater Operations in Lebanon and Oman”.

However, unlike the previous vector, we did not identify this time any compromised servers used to host the malware’s code. Instead, the lure document already contains the malicious code. We also detected five additional files that operate in a similar file to the aforementioned document; but unlike that file, these do not have any content.

We believe (with medium certainty) that this is due to the attackers testing the malicious document to see if it is detected by various anti-virus engines.

Most of the targets in this wave of attacks are part of Kurdish groups (such as ” Komala” – a Kurdish-Iranian party in Iraq), as well as various organizations in Turkey affiliated with the Turkish army and defense sector.
Attack Vector

The initial infection vector is via emails attached with a malicious word document. Below are screen-captures of the document sent to the Kurdish party:

Note that the document is “blurred” and contains the official logo of the Kurdistan Regional Government:
Technical Analysis
The file used to target the Kurdish party

As seen, the lure document contains a blurred image that impersonates an official document of the Kurdistan Regional Government. The target is then prompted to Enable Editing or Enable Content, supposedly to view the content. However, this in fact executes an embedded malicious Macro command.

This Macro is named Gladiator_CRK. The attacker also used this handle for the Author name in the document’s OLE details:

When investigating this name, we identified several documents that behave to the above document; however, most have no content. It is likely that these files were uploaded to VirusTotal with minor changes to test whether they are detected by the various anti-virus engines.

It should be noted that all of the content-less files were uploaded from Germany, while the malicious lure document was uploaded from Iraq. This further corroborates our assessment that the content-less files were uploaded for test purposes.

Similarly to previous attacks by the group, this Macro uses embedded com object that runs Microsoft Excel and concurrently executes various commands. Post execution, the malicious Macro edits certain Registry values in order for the malicious code continues operation even after the compromised system is rebooted, thus insuring persistency.

Moreover, in a similar fashion to previous attacks, two files are created within the Temp folder.

These files contain segments of the malicious code used to extract the POWERSTATS malware.

As seen above, the PowerShell uses Windows Script Host (WScript executable) to decode VBE code from the first image file (icon.ico). This code executes a JavaScript embedded in the second image file (picture.jpg), which is encoded in base64:

This method is different from previous attacks, in which that malware was downloaded a C2 server. But, in this attack we did not detect any such request, and the malware were was extracted from the dropper file.

Below is a screen-capture of files with different content.

In this attack vector we found that after the target enables the execution of the Macro, an encrypted txt file by the name Win32ApiSyncLog.txt is created. This file contains a base64 encoded Backdoor that downloads the malware from the following URL 94.23.148[.]194/serverscrpit/clientFroneLine/helloServer[.]php.

Furthermore, a Batch file named Win32ApiSync.bat, which contains the script in charge of running the aforementioned code is created.

This script creates a scheduled task (schtasks) that creates, reads and extracts the Win32ApiSync file every hour.

However, unlike the first document, despite the “enable content” prompt, this document does not contain any malicious Macros.

This may explain way, unlike the other file, no PowerShell were installed on the computer via an Excel process. From the OLE details it seems that the file was recently edited by an individual named ” Babak Amiri”.

When searching for additional files additional by this author we detected several documents, but they too did not contain any Macros.
First Aid: IOCs:

5c6148619abb10bb3789dcfb32f759a6 a3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981
More info: https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/

Date added April 15, 2019, 9:14 p.m.
Source ClearskySec
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Iran - New Reports in
  • Iran - MuddyWater / MuddyWaters / Muddy Waters / PowerStats APT / TEMP.Zagros / PRB-Backdoor / Seedworm / BlackWater / sewage / T-APT-14
  • News Turkey
Country Iran