MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), have been using compromised corporate email accounts to deliver phishing messages to their targets. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor.
Looking into the issues surrounding these attacks for Digital Journal is Joe Gallop, Cyber Threat Intelligence Manager at Cofense.
Gallop begins by looking at the attack vector and the implications: “Spear-phishing continues to be the intrusion vector of choice for many advanced threat groups, and although users may often not see themselves as important targets, they can easily become a stepping stone toward the real target.”
Spear-phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. It is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim.
Gallop continues with the attack operandi: “Advanced persistent threat actors are definitely persistent in more ways than one, and will often expend significant effort in open-source research to identify an important target’s social and professional network.”
Furthermore, finds Gallop: “If they can compromise just one email account belonging to someone in that network, they are able to abuse established trust by sending phishing emails from that account to the final target or to other “stepping stones,” as reportedly done in the MuddyWater campaign against Egyptian hosting companies.”
There are some worrying patterns with the attack approach, says Gallop: “The use of HTML attachments (as seen in this campaign) is not new, but Cofense Intelligence has observed some notable spikes in HTML attachment phishing recently. The use of HTML smuggling legitimate HTML5 and JavaScript capabilities in an HTML attachment to deliver embedded malicious content is done after the file has been opened on the target computer, rather than beforehand, by operators of Qakbot malware, which is our “phishing malware family to watch” for this quarter. HTML attachments are used to harvest credentials without ever sending the victim to a website, by abusing legitimate form-submission services.”
So-termed ‘HTML smuggling’ has been used for some time to deliver malware because it enables threat actors to hide malicious files inside of innocuous-looking HTML attachments.
It remains important that companies view and react to the information. Gallop recommends: “It is important for security teams to train all users to recognize these and other ways in which threat actors make use of HTML attachments in phishing, or risk missing an evasive and successful form of phishing.”
