State-sponsored Iranian hacker group MuddyWater has targeted more than 100 government entities in attacks that deployed version 4 of the Phoenix backdoor.
The threat actor is also known as Static Kitten, Mercury, and Seedworm, and it typically targets government and private organizations in the Middle East region.
Starting August 19, the hackers launched a phishing campaign from a compromised account that they accessed through the NordVPN service.
The emails were sent to numerous government and international organizations in the Middle East and North Africa, cybersecurity company Group-IB says in a report today.
According to the researchers, the threat actor took down the server and server-side command-and-control (C2) component on August 24, likely indicating a new stage of the attack that relied on other tools and malware to gather information from compromised systems.
Most of the targets of this MuddyWater campaign are embassies, diplomatic missions, foreign affairs ministries, and consulates.
Targets int the latest MuddyWaters campaign
Source: Group-IB
Back to macro attacks
Group-IB's research revealed that MuddyWater used emails with malicious Word documents with macro code that decoded and wrote to disk the FakeUpdate malware loader.
... continue reading