It has been determined that the Iranian threat actor known as MuddyWater was responsible for a spear-phishing effort that targeted diplomatic, maritime, financial, and telecom sectors in the Middle East. The campaign was carried out with a Rust-based implant that was given the codename RustyWater.
"The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion," CloudSEK resetter Prajwal Awasthi stated in a study that was published this week. Rust implants are capable of delivering these capabilities.
The most recent development is a reflection of the ongoing evolution of MuddyWater's tradecraft, which has gradually but steadily reduced its reliance on legitimate remote access software as a post-exploitation tool. Instead, it has shifted its focus to a diverse custom malware arsenal that includes tools such as Phoenix, UDPGangster, BugSleep (also known as MuddyRot), and MuddyViper.
It has been determined that the hacker gang, which is also known as Mango Sandstorm, Static Kitten, and TA450, is associated with the Ministry of Intelligence and Security (MOIS) of Iran. At the very least, it has been in working order since 2017.
A Microsoft Word document that, when opened, instructs the victim to "Enable content" in order to activate the execution of a malicious VBA macro that is responsible for deploying the Rust implant binary is included in the attack chain that distributes RustyWater. This attack chain is fairly straightforward. It is distributed through spear-phishing emails that are disguised as cybersecurity guidelines.
RustyWater, which is also known as Archer RAT and RUSTRIC, is a malicious program that collects information about victim machines, can identify security software that has been installed, can establish persistence through the use of a Windows Registry key, and can establish contact with a command-and-control (C2) server (also known as "nomercys.it[.]com") in order to facilitate file operations and command execution.
Towards the end of the previous month, Seqrite Labs identified the use of RUSTRIC as a component of attacks that were directed against companies in Israel that were involved in information technology (IT), managed service providers (MSPs), human resources, and software development. UNG0801 and Operation IconCat are the names that the cybersecurity organisation is using to keep track of the activities that is being monitored.
"Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations," CloudSEK stated in their announcement. "The introduction of Rust-based implants represents a notable tooling evolution towards more structured, modular, and low noise RAT capabilities."