MuddyWater Uses Spear-Phishing to Launch RustyWater RAT in the Middle East -

Post Views: 27

MuddyWater Uses Spear-Phishing to Launch RustyWater RAT in the Middle East

With a Rust-based implant nicknamed RustyWater, the Iranian threat actor known as MuddyWater has been linked to a spear-phishing campaign that targets Middle Eastern diplomatic, marine, banking, and telecom organizations

In a report released this week, CloudSEK researcher Prajwal Awasthi stated, “The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.”

The most recent development is indicative of the ongoing evolution of MuddyWater’s tradecraft, which has steadily but gradually decreased its reliance on reputable remote access software as a post-exploitation tool in favor of a varied custom malware arsenal that includes tools like Phoenix, UDPGangster, BugSleep (also known as MuddyRot), and MuddyViper.

The hacker organization, also known as Mango Sandstorm, Static Kitten, and TA450, is believed to be connected to Iran’s Ministry of Intelligence and Security (MOIS). At least since 2017, it has been in operation.

The attack chains that spread RustyWater are rather simple: spear-phishing emails that appear to be cybersecurity guidelines are attacked with a Microsoft Word document that, when opened, instructs the victim to “Enable content” in order to trigger the execution of a malicious VBA macro that is in charge of deploying the Rust implant binary.

RustyWater, also known as Archer RAT and RUSTRIC, collects victim machine data, identifies installed security software, creates persistence using a Windows Registry key, and connects to a command-and-control (C2) server (“nomercys.it[.]com”) to enable file operations and command execution.

It’s important to note that Seqrite Labs reported the use of RUSTRIC late last month as part of attacks on Israeli software development firms, IT, MSPs, and human resources. The cybersecurity firm is monitoring the behavior under the aliases Operation IconCat and UNG0801.

For initial access and post-compromise actions, MuddyWater has historically depended on PowerShell and VBS loaders, according to CloudSEK. “An important advancement in tooling toward more organized, modular, and low-noise RAT capabilities is the development of Rust-based implants.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.