As the US prepares for a possible military strike against Iran, the nation-state threat group MuddyWater is wasting no time ramping up its cyber offensive against organizations in the Middle East and Africa region with an emerging attack campaign delivering several new strains of custom malware.
The campaign, dubbed Operation Olalampo, starts with the group’s typical entry tactic — spear-phishing emails — and ends with the deployment of one of several strains of never-before-seen second-stage loader and backdoor malware, according to a report by Group-IB published Friday.
Olalampo “targeted multiple organizations and individuals primarily across the MENA region, aligning with the ongoing geopolitical tensions,” according to the blog post. There also is evidence that MuddyWater, which is tied to Iran’s Ministry of Intelligence and Security (MOIS), deviated from its typical entry tactic and also tried to exploit flaws in public-facing servers as part of the activity, which the researchers first discovered on Jan. 26.
One of the new malware strains, the Char backdoor, used a Telegram bot as a command-and-control (C2) channel, which gave researchers “valuable insight into MuddyWater’s post-exploitation activity,” according to the report. This insight showed that the infrastructure in the campaign was reused, one of the hallmarks of MuddyWater that contributed to the researchers identifying the perpetrator.
Moreover, as is the case with a number of recent threat campaigns, Olalampo showed signs of artificial intelligence (AI)-assisted development in the malware, demonstrating that this is likely to be the norm and not the exception going forward, according to Group-IB.
Delivery of AI-Developed Malware
Attacks in the campaign started typically for MuddyWater — with a targeted spear-phishing email, this time employing one of various Microsoft documents with malicious macros that decode the payload, drop it into a system, and execute it. Ultimately, the malware dropped by the campaign gave MuddyWater control of the victim’s system.
The advanced persistent threat (APT) group used three attack-sequence variations against different targets. The first was a malicious Microsoft Excel document mimicking an energy and marine services company in the Middle East, likely targeting either contractors of the organization or the organization itself.
That attack sequence ultimately led to the deployment of the Char backdoor, a RUST-based backdoor controlled by a Telegram bot, according to Group-IB. The use of Telegram in this way by the group signifies a tactical shift for MuddyWater, according to researchers.
Char also showed signs of AI-enhanced development in one of its command handlers, with the identification of “debug strings containing emojis — a trait rarely seen in human-authored code,” according to the report.
“We observed four instances of this anomaly, suggesting that the adversary likely used an AI model to generate specific code segments and failed to sanitize the debug strings before compilation; this can also be seen in the command-and-control logs from the Telegram bot,” according to Group-IB.
Other MuddyWater Attack Variants
Another attack variant of Olalampo used a similar document lure to the previous one, but instead of dropping Char, it deployed the GhostFetch downloader. The loader subsequently downloaded the novel GhostBackDoor, an advanced backdoor that adapts its installation based on the environment’s privileges.
The third attack variant uses a Microsoft Word document employing multiple themes, such as flight tickets and reports, targeting “individuals of interest and system integrator companies in the Middle East,” according to Group-IB. This variant leads to the deployment of a new customer downloader called HTTP_VIP, which then deploys Anydesk remote monitoring and management (RMM) to take over the targeted system.
“The HTTP_VIP malware is a native downloader that serves as a bridge for further exploitation,” according to the post. The malware has a “highly selective” execution flow that performs system reconnaissance, checks specifically for a hard-coded domain, and will terminate if the system belongs to one; and performs C2 authentication.
MuddyWater Tightens Its Game
MuddyWater — also known asTA450, Helix Kitten, Seedworm, and other names — is one of Iran’s most active and notorious APTs, with roots that stretch as far back as 2017. In its latest attacks, it appears to be tightening its tactics, which used to be somewhat clumsy, despite its role as a longtime, prolific threat.
Indeed, MuddyWater has been steadily evolving its activities since it first emerged. Late last year, the group demonstrated stealthier stagecraft that included the use of memory-only loaders, custom backdoors, and techniques designed for defense evasion and persistence. At the time, researchers from ESET said the upgrades marked a significant evolution in the group’s capabilities and a departure from its historically noisier operational style.
“The group’s continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations,” according to Group-IB.
Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB’s report to monitor for group activity. The company also recommended that organizations enhance email and phishing defenses, implement endpoint and access controls, strengthen network and infrastructure security, and create strategic long-term defense measures to reduce risk of compromise.
