To better enable defense against malicious cyber actors, U.S. Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open source tools that Iranian intelligence actors are using in networks around the world.
These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks.
MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations.
MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors.
Below are some technical aspects of how the threat actor could be leveraging malware in networks.
These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. New samples showing the different parts of this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure.