13.5 C
New York
Saturday, October 25, 2025

Iranian hackers focused over 100 govt orgs with Phoenix backdoor


Iranian hackers focused over 100 govt orgs with Phoenix backdoor

State-sponsored Iranian hacker group MuddyWater has focused greater than 100 authorities entities in assaults that deployed model 4 of the Phoenix backdoor.

The risk actor is also referred to as Static Kitten, Mercury, and Seedworm, and it usually targets authorities and personal organizations within the Center East area.

Beginning August 19, the hackers launched a phishing marketing campaign from a compromised account that they accessed by way of the NordVPN service.

The emails have been despatched to quite a few authorities and worldwide organizations within the Center East and North Africa, cybersecurity firm Group-IB says in a report right this moment.

In line with the researchers, the risk actor took down the server and server-side command-and-control (C2) element on August 24, seemingly indicating a brand new stage of the assault that relied on different instruments and malware to assemble data from compromised methods.

A lot of the targets of this MuddyWater marketing campaign are embassies, diplomatic missions, overseas affairs ministries, and consulates.

Targets of latest MuddyWaters campaign
Targets int the newest MuddyWaters marketing campaign
Supply: Group-IB

Again to macro assaults

Group-IB’s analysis revealed that MuddyWater used emails with malicious Phrase paperwork with macro code that decoded and wrote to disk the FakeUpdate malware loader.

The emails connect malicious Phrase paperwork that instruct recipients to “allow content material” on Microsoft Workplace. This motion triggers a VBA macro that writes the ‘FakeUpdate’ malware loader on the disk.

It’s unclear what prompted MuddyWater to ship malware by way of macro code hidden in Workplace paperwork, for the reason that approach was fashionable a number of years in the past, when macros ran robotically upon opening a doc.

Since Microsoft disabled macros by default, risk actors moved to different strategies, a newer one being ClickFix, additionally utilized by MuddyWater in previous campaigns.

Group-IB researchers say that the loader in MuddyWater’s newer assaults decrypts the Phoenix backdoor, which is an embedded, AES-encrypted payload.

The malware is written to ‘C:ProgramDatasysprocupdate.exe,’ and establishes persistence by modifying the Home windows Registry entry with configurations for the present consumer, together with the app that ought to run because the shell after logging into the system.

Observed attack chain
Noticed assault chain
Supply: Group-IB

Phoenix and Chrome stealer

Phoenix backdoor has been documented in previous MuddyWater assaults, and the variant used on this marketing campaign, model 4, consists of a further COM-based persistence mechanism and a number of other useful variations.

Differences between Phoenix version 3 and version 4
Variations between Phoenix model 3 and model 4
Supply: Group-IB

The malware gathers details about the system, like laptop title, area, Home windows model, and username, to profile the sufferer. It connects to its command-and-control (C2) through WinHTTP and begins to beacon and ballot for instructions.

Group-IB has confirmed that the next instructions are supported in Phoenix v4:

  • 65 — Sleep
  • 68 — Add file
  • 85 — Obtain file
  • 67 — Begin shell
  • 83 — Replace sleep interval time

One other software MuddyWater utilized in these assaults is a customized infostealer that makes an attempt to exfiltrate the database from Chrome, Opera, Courageous, and Edge browsers, extract credentials, and snatch the grasp key to decrypt them.

On MuddyWater’s C2 infrastructure the researchers additionally discovered the PDQ utility for software program deployment and administration, and the Action1 RMM (Distant Monitoring and Administration) software. PDQ has been utilized in assaults attributed to Iranian hackers.

Group-IB attributes the assaults to MuddyWater with excessive confidence, primarily based on using malware households and macros seen in previous campaigns, using widespread string decoding strategies on new malware much like beforehand used households, and their particular focusing on patterns.

46% of environments had passwords cracked, almost doubling from 25% final 12 months.

Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles