Iranian threat actor group Muddy Water has been very active in the last few months. In February, CISA issued an alert warning that the group was conducting a campaign targeting global government and commercial networks. Earlier this month, Cisco’s Talos Intelligence published a blog post on Muddy Water activity targeting Turkey and other countries.
Who is Muddy Water?
Muddy Water, also known as Static Kitten, is an Iranian threat actor group active since at least 2017. The group has historically targeted entities in the Middle East but has been known to target other regions as well. Muddy Water primarily conducts espionage campaigns but has also been known to engage in intellectual property theft and ransomware attacks. US Cyber Command has linked the group’s activities to Iran’s Ministry of Intelligence and Security (MOIS). Cisco assessed Muddy Water is a conglomerate of multiple teams operating independently. Muddy Water TTPs include social engineering, spearphishing, maldocs, LoLBins, Small Sieve, PowGoop, Mori backdoor, Covicli backdoor, Canopy/SloughRAT, Empire, Powerstats/Powermud backdoor, and others. Cisco calls them “extremely motivated and persistent.”
What is SloughRAT?
Cisco said a Muddy Water campaign in January targeted Turkish entities using maldocs and executable-based infection chains. In a more recently observed campaign, Cisco saw Muddy Water targeting Turkey and countries in the Arabian peninsula with maldocs delivering a Windows script file-based RAT, dubbed SloughRAT. SloughRAT is referred to as Canopy in the above referenced CISA alert.
PolySwarm has multiple samples of malware associated with recent Muddy Water activity. Below is a selection of IOCs of those samples.
You can use the following CLI command to search for all Muddy Water samples in our portal:
$ polyswarm link list -f MuddyWater