What is Muddywater?
Aliases: Static Kitten, COBALT ULSTER, Temp.Zagros, and Seedworm.
Muddywater is an Iran-based threat actor active since 2017. It primarily targets government and defense entities in the Middle East by distributing macro-based, spearphishing emails. Researchers noted that they are using wscipt or CMSTP to execute powershell payloads. This indirect execution is employed via sophisticated techniques such as the Applocker bypass.
Why is Muddywater trending?
Microsoft sent out a warning that Muddywater is currently exploiting the CVE-2020-1472 vulnerability, aka the Zerologon vulnerability. This particular vulnerability is located in the core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
Reactions from Twitter
Iranian threat actor Mercury/MuddyWater targeting the zerologin vulnerability on windows domain controllers.
The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns
References from KNOW
- Total references counted: 1,371
- References in the last 60 days: 10
- References in the last 7 days: 0
Context from KNOW
- Risk rules triggered: 6 out of 48
- Industries affected: Telecommunications, Energy & Natural Resources, Aerospace, and Defense Education.
- Most recent reference: Hybrid Analysis result for ‘plink.exe’
- Intrusion methods: Phishing, Obfuscation, Phishing Campaign, Pass the Hash, Infection chain, Spear Phishing, and Social Engineering.
- Malware used: POWERSTATS and Koadic.
- Related hashes: 69
- Campaign: Blackwater
What is KNOW?
Want to know how else you can use our platform? Read this article to know how you can investigate the most trending malware. In the meantime, if you want to know how we are combining threat intel with attack surface intelligence, then read this.