Connect with us

Hi, what are you looking for?

Tech & Science

Unclear data patterns? New risks from the MuddyWater hackers revealed

The use of HTML attachments is not new, but Cofense Intelligence has observed some notable spikes in HTML attachment phishing recently.

Photo: Pexels
Photo: Pexels

MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), have been using compromised corporate email accounts to deliver phishing messages to their targets. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor.

Looking into the issues surrounding these attacks for Digital Journal is Joe Gallop, Cyber Threat Intelligence Manager at Cofense.

Gallop begins by looking at the attack vector and the implications: “Spear-phishing continues to be the intrusion vector of choice for many advanced threat groups, and although users may often not see themselves as important targets, they can easily become a stepping stone toward the real target.”

Spear-phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. It is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim.

Gallop continues with the attack operandi: “Advanced persistent threat actors are definitely persistent in more ways than one, and will often expend significant effort in open-source research to identify an important target’s social and professional network.”

Furthermore, finds Gallop: “If they can compromise just one email account belonging to someone in that network, they are able to abuse established trust by sending phishing emails from that account to the final target or to other “stepping stones,” as reportedly done in the MuddyWater campaign against Egyptian hosting companies.”

There are some worrying patterns with the attack approach, says Gallop: “The use of HTML attachments (as seen in this campaign) is not new, but Cofense Intelligence has observed some notable spikes in HTML attachment phishing recently. The use of HTML smuggling legitimate HTML5 and JavaScript capabilities in an HTML attachment to deliver embedded malicious content is done after the file has been opened on the target computer, rather than beforehand, by operators of Qakbot malware, which is our “phishing malware family to watch” for this quarter. HTML attachments are used to harvest credentials without ever sending the victim to a website, by abusing legitimate form-submission services.”

So-termed ‘HTML smuggling’ has been used for some time to deliver malware because it enables threat actors to hide malicious files inside of innocuous-looking HTML attachments.

It remains important that companies view and react to the information. Gallop recommends: “It is important for security teams to train all users to recognize these and other ways in which threat actors make use of HTML attachments in phishing, or risk missing an evasive and successful form of phishing.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


Asian markets mostly fell Friday as traders struggled to build on Wall Street's positive lead, with hopes for a June interest rate cut fading.

Tech & Science

Who knows, some might respect your individuality sometime.


A handful of trucks arrived on the Thai side from Myanmar over the "2nd Friendship Bridge", according to AFP reporters - Copyright AFP MANAN...

Tech & Science

Massive overseas and domestic investments offer Japan a chance to reclaim its tech crown.