""The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion," CloudSEK resetter Prajwal Awasthi said in a report published this week. The latest development reflects continued evolution of MuddyWater's tradecraft, which has gradually-but-steadily reduced its reliance on legitimate remote access software as a post-exploitation tool in favor of diverse malware arsenal comprising tools like Phoenix, UDPGangster, BugSleep (aka MuddyRot), and MuddyViper."
"Attack chains distributing RustyWater are fairly straightforward: spear-phishing emails masquerading as cybersecurity guidelines come attacked with a Microsoft Word document that, when opened, instructs the victim to " Enable content" so as to activate the execution of a malicious VBA macro that's responsible for deploying the Rust implant binary. Also referred to as Archer RAT and RUSTRIC, RustyWater gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server ("nomercys.it[.]com")"
MuddyWater, an Iranian-affiliated threat actor active since at least 2017, targets diplomatic, maritime, financial, and telecom organizations across the Middle East. The campaign employs spear-phishing emails with icon-spoofed Microsoft Word documents that prompt victims to enable macros, deploying a Rust-based implant called RustyWater (RUSTRIC/Archer RAT). RustyWater performs asynchronous C2, anti-analysis checks, gathers system and security-product information, establishes persistence via a Windows Registry key, and contacts a C2 server at nomercys.it[.]com for file and command operations. MuddyWater has shifted from legitimate remote-access tools toward a diverse malware toolkit including Phoenix, UDPGangster, BugSleep, and MuddyViper.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]