MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), have been using compromised corporate email accounts to deliver phishing messages to their targets. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor.
Looking into the issues surrounding these attacks for Digital Journal is Joe Gallop, Cyber Threat Intelligence Manager at Cofense.
Gallop begins by looking at the attack vector and the implications: “Spear-phishing continues to be the intrusion vector of choice for many advanced threat groups, and although users may often not see themselves as important targets, they can easily become a stepping stone toward the real target.”
Spear-phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. It is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim.
Gallop continues with the attack operandi: “Advanced persistent threat actors are definitely persistent in more ways than one, and will often expend significant effort in open-source research to identify an important target’s social and professional network.”
Furthermore, finds Gallop: “If they can compromise just one email account belonging to someone in that network, they are able to abuse established trust by sending phishing emails from that account to the final target or to other “stepping stones,” as reportedly done in the MuddyWater campaign against Egyptian hosting companies.”
So-termed ‘HTML smuggling’ has been used for some time to deliver malware because it enables threat actors to hide malicious files inside of innocuous-looking HTML attachments.
It remains important that companies view and react to the information. Gallop recommends: “It is important for security teams to train all users to recognize these and other ways in which threat actors make use of HTML attachments in phishing, or risk missing an evasive and successful form of phishing.”