Full Report
The Iranian threat actor known as MuddyWater has been attributed to a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. "The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
Attributed to the Iranian threat actor.
**Known Aliases/Associated Groups:** Mango Sandstorm, Static Kitten, TA450.
**Affiliation:** Assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).
**Operational Since:** At least 2017.
## Activity Summary
Attributed to a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East, utilizing a newly identified Rust-based implant named **RustyWater** (also referred to as Archer RAT and RUSTRIC). This campaign represents an evolution from their historical reliance on PowerShell/VBS loaders toward more modular, Rust-based tooling.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails disguised as cybersecurity guidelines containing malicious Microsoft Word documents.
- **Execution:** Luring recipients to click "Enable content" to execute a malicious VBA macro, which deploys the Rust implant binary.
- **Implantation/Evasion:** Use of icon spoofing.
- **Persistence:** Establishes persistence using a Windows Registry key.
- **C2/Implants:** Uses RustyWater, a Rust-based implant capable of asynchronous C2 communication, anti-analysis techniques, and modular post-compromise capability expansion.
- **Historical TTPs:** Historically relied on PowerShell and VBS loaders for initial access and post-compromise operations.
## Targeting
- **Sectors:** Diplomatic, Maritime, Financial, and Telecom entities. (Other mentioned targets in related activity include IT, Managed Service Providers (MSPs), Human Resources, and Software Development companies.)
- **Geography:** Middle East. (Specific related activity tracked by Seqrite Labs targeted Israel.)
- **Victims:** Diplomatic, maritime, financial, and telecom entities.
## Tools & Infrastructure
- **Malware Families Used:** RustyWater (Rust-based implant, also RUSTRIC/Archer RAT), Phoenix, UDPGangster, BugSleep (aka MuddyRot), MuddyViper.
- **Infrastructure (C2):** "nomercys[.]it[.]com"
## Implications
The adoption of Rust in the RustyWater implant signals a significant tooling evolution for MuddyWater, moving towards more structured, modular, and potentially stealthier Remote Access Trojan (RAT) capabilities, possibly reducing reliance on established remote access software.
## Mitigations
- Vigilance against spear-phishing, especially documents masquerading as official guidelines.
- Strict enforcement against enabling macros or content in untrusted Microsoft Office documents.
- Monitoring for asynchronous C2 beaconing activity associated with the new implant.
- Monitoring for the creation of persistence mechanisms via Windows Registry keys associated with the actor.