New: Threat Exposure Validation Impact Report 2025
Learn More
Meet the team at Gartner Security & Risk Management Summit
Book a Meeting
Join our Summer Webinar Series on Threat Exposure Validation
Register Now

Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

February 3, 2022

MuddyWater, also known as MERCURY or Static Kitten, is an Advanced Persistent Threat (APT) group linked to Iran's Ministry of Intelligence and Security (MOIS) by U.S. Cyber Command. Active since at least 2017, this group frequently conducts cyber campaigns against high-value targets in American, European, and Asian countries.

Objectives of MuddyWater Attacks

The group's campaigns typically aim to achieve one of three objectives:

  1. Espionage – Supporting the political dominance of Iran in the Middle East.
  2. Intellectual Property Theft – Providing economic advantages to Iran by targeting private companies, universities, and research institutions.
  3. Ransomware Deployment – Using ransomware (such as Thanos) to destroy evidence or disrupt operations.

Attack Methodology

MuddyWater frequently leverages DNS for communication with Command & Control (C2) servers while the initial contact with hosting servers occurs via HTTP. Their attack methods include:

  • PowerShell and Visual Basic scripting
  • Living-off-the-Land Binaries (LoLBins)
  • Spear-phishing with malicious PDFs and executables

Observed Campaign Targeting Turkish Entities

Attack on Turkish Government Entities

A campaign observed as recently as November 2021 targeted Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBİTAK). The attack method involved:

  • Malicious Excel (XLS) documents and executables hosted on snapfile[.]org
  • PDF documents embedding links to these payloads

Infection Chain

1. Delivery via Malicious PDFs

  • Attackers distributed PDFs with embedded links.
  • PDFs contained error messages prompting victims to click a link.
  • Clicking the link led to downloading a malicious XLS file or Windows executable.

2. Execution of Malicious Payloads

  • The downloaded sample drops a decoy document in hex format.
  • The hex representation is converted to a readable file and displayed to the victim.

3. PowerShell-based Execution

  • The malicious executable downloads and executes PowerShell scripts.
  • These scripts create directories in the user's home folder:
    • .CloudCache.conf – Instrumentor script to activate the next stage.
    • .CloudDrive.conf – Downloader script to fetch the next-stage payload.

4. Persistence via Windows Registry

  • A Registry key is created under:HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | CloudDrive
  • The script uses SyncAppvPublishingServer.vbs to execute PowerShell code.

    Infection Chain Variation (Pakistan Case)

    In some cases, attackers modified the infection chain:

    • Skipped the instrumentor script and executed the downloader script directly from the registry.
    • Registry entry used:HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN | OwnDrive
    • The downloader script collected preliminary data (e.g., computer name) to register infections with the C2 server.

    C2 Communication and Execution

    Communication with C2 Servers

    The implant:

    1. Contacts the C2 server to request PowerShell commands.
    2. Parses responses to verify computer name matches the target.
    3. Executes received PowerShell commands.
    4. Encrypts the command output using AES encryption and sends it back to the C2.

    URL for Command Output

    http:///images?guid=

    User-Agent Used

    Googlebot/2.1 (+http://www.google.com/bot.html)

    Tracking Tokens in Use

    Analysts observed the decoy documents reaching out to:

    hxxp://172.245.81[.]135:10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/Pan-op/gallery.jpg
    • Similar URLs were seen in previous MuddyWater campaigns targeting Pakistan.
    • This server likely acted as a tracking mechanism for successful infections.

    MuddyWater’s Attacks on Other Regions

    Armenian Telecommunications Sector Attack

    MuddyWater also targeted Armenia’s telecommunications sector. The decoy document used:

    • A Maintenance Operation Protocol (MOP) guide for Viva-MTS telecom solution provider.
    • The infection chain was identical to previous PowerShell-based downloader campaigns.

    Reuse of Attack Techniques

    • The same infection chain was later seen again in attacks against Pakistan.
    • The group continues to modify their tactics, including switching execution methods and leveraging decoy documents for obfuscation.

    Conclusion

    MuddyWater’s recent campaigns against Turkish entities demonstrate:

    • Targeted spear-phishing using malicious PDFs.
    • PowerShell-based infection chains for execution and persistence.
    • Adaptation of tactics across different regions (e.g., Turkey, Pakistan, Armenia).
    • Use of tracking mechanisms to monitor successful infections.

    Security teams should implement behavioral detection, registry monitoring, and PowerShell execution restrictions to defend against such threats.