Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)
ID: G0069
Associated Groups: MERCURY, Static Kitten, TEMP.Zagros, Mango Sandstorm, TA450, Seedworm, Earth Vetala
Version: 5.1
Created: 18 Apr 2018
Last Modified: 29 Aug 2024

Associated Group Descriptions

Name Description
MERCURY (Citation: Anomali Static Kitten February 2021)
Static Kitten (Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
TEMP.Zagros (Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
Mango Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
TA450 (Citation: Proofpoint TA450 Phishing March 2024)
Seedworm (Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
Earth Vetala (Citation: Trend Micro Muddy Water March 2021)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)

Enterprise T1087 .002 Account Discovery: Domain Account

MuddyWater has used cmd.exe net user /domain to enumerate domain users.(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1583 .006 Acquire Infrastructure: Web Services

MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MuddyWater has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

MuddyWater has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

MuddyWater has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018)

.005 Command and Scripting Interpreter: Visual Basic

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

.006 Command and Scripting Interpreter: Python

MuddyWater has developed tools in Python including Out1.(Citation: Trend Micro Muddy Water March 2021)

.007 Command and Scripting Interpreter: JavaScript

MuddyWater has used JavaScript files to execute its POWERSTATS payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1132 .001 Data Encoding: Standard Encoding

MuddyWater has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

MuddyWater has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

MuddyWater has specifically targeted government agency employees with spearphishing e-mails.(Citation: Anomali Static Kitten February 2021)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

MuddyWater can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

.002 Inter-Process Communication: Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct 2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.(Citation: FireEye MuddyWater Mar 2018)(Citation: Talos MuddyWater May 2019)(Citation: Anomali Static Kitten February 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)

.004 OS Credential Dumping: LSA Secrets

MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)

.005 OS Credential Dumping: Cached Domain Credentials

MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWater Nov 2018)

.004 Obfuscated Files or Information: Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky MuddyWater Nov 2018)

.010 Obfuscated Files or Information: Command Obfuscation

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.(Citation: Anomali Static Kitten February 2021)(Citation: group-ib_muddywater_infra)

Enterprise T1137 .001 Office Application Startup: Office Template Macros

MuddyWater has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) (Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Proofpoint TA450 Phishing March 2024)

.002 Phishing: Spearphishing Link

MuddyWater has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)

Enterprise T1090 .002 Proxy: External Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018) MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

MuddyWater has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.(Citation: Securelist MuddyWater Oct 2018)

Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.(Citation: FireEye MuddyWater Mar 2018)

.005 System Binary Proxy Execution: Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)

.011 System Binary Proxy Execution: Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.(Citation: Securelist MuddyWater Oct 2018)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

MuddyWater has run a tool that steals passwords saved in victim email.(Citation: Symantec MuddyWater Dec 2018)

Enterprise T1204 .001 User Execution: Malicious Link

MuddyWater has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)

.002 User Execution: Malicious File

MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: Proofpoint TA450 Phishing March 2024)

Enterprise T1102 .002 Web Service: Bidirectional Communication

MuddyWater has used web services including OneHub to distribute remote access tools.(Citation: Anomali Static Kitten February 2021)

Software

ID Name References Techniques
S0592 RemoteUtilities (Citation: Trend Micro Muddy Water March 2021) File and Directory Discovery, Ingress Tool Transfer, Msiexec, Screen Capture
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) (Citation: TrendMicro POWERSTATS V3 June 2019) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Command Obfuscation, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: TrendMicro POWERSTATS V3 June 2019) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0450 SHARPSTATS (Citation: TrendMicro POWERSTATS V3 June 2019) System Network Configuration Discovery, PowerShell, Ingress Tool Transfer, Command Obfuscation, System Information Discovery, System Time Discovery, System Owner/User Discovery
S1047 Mori (Citation: CYBERCOM Iranian Intel Cyber January 2022) (Citation: DHS CISA AA22-055A MuddyWater February 2022) Web Protocols, Junk Data, Regsvr32, Deobfuscate/Decode Files or Information, DNS, Query Registry, Modify Registry, File Deletion, Standard Encoding
S0594 Out1 (Citation: Trend Micro Muddy Water March 2021) Web Protocols, Obfuscated Files or Information, Windows Command Shell, Data from Local System, Local Email Collection
S0591 ConnectWise (Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Trend Micro Muddy Water March 2021) Video Capture, PowerShell, Screen Capture
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: TrendMicro POWERSTATS V3 June 2019) (Citation: Unit 42 MuddyWater Nov 2017) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S1046 PowGoop (Citation: CYBERCOM Iranian Intel Cyber January 2022) (Citation: DHS CISA AA22-055A MuddyWater February 2022) Encrypted Channel, Masquerading, Web Protocols, PowerShell, DLL Side-Loading, Deobfuscate/Decode Files or Information, Match Legitimate Name or Location, Non-Standard Encoding
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019) Security Account Manager, NTDS, Password Spraying, Password Policy Discovery, Domain Account, System Network Connections Discovery, Password Guessing, At, Network Share Discovery, Remote System Discovery, LSA Secrets, Windows Management Instrumentation, Modify Registry, File and Directory Discovery, Pass the Hash, System Information Discovery, Domain Groups, PowerShell, System Network Configuration Discovery, Brute Force
S0250 Koadic (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) (Citation: Reaqta MuddyWater November 2017) (Citation: TrendMicro POWERSTATS V3 June 2019) System Network Configuration Discovery, System Information Discovery, Visual Basic, Mshta, Dynamic-link Library Injection, Regsvr32, System Owner/User Discovery, Hidden Window, Security Account Manager, Ingress Tool Transfer, Web Protocols, Windows Management Instrumentation, PowerShell, Clipboard Data, Bypass User Account Control, Network Service Discovery, Remote Desktop Protocol, Windows Command Shell, File and Directory Discovery, Registry Run Keys / Startup Folder, NTDS, Service Execution, Data from Local System, Asymmetric Cryptography, Network Share Discovery, Rundll32, Scheduled Task
S1037 STARWHALE (Citation: CANOPY) (Citation: DHS CISA AA22-055A MuddyWater February 2022) (Citation: Mandiant UNC3313 Feb 2022) System Information Discovery, Windows Service, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Web Protocols, System Owner/User Discovery, Malicious File, Visual Basic, System Network Configuration Discovery, Encrypted/Encoded File, Windows Command Shell, Standard Encoding, Data from Local System, Local Data Staging
S0223 POWERSTATS (Citation: ClearSky MuddyWater June 2019) (Citation: ClearSky MuddyWater Nov 2018) (Citation: FireEye MuddyWater Mar 2018) (Citation: Powermud) (Citation: Symantec MuddyWater Dec 2018) (Citation: Unit 42 MuddyWater Nov 2017) Component Object Model, Deobfuscate/Decode Files or Information, System Owner/User Discovery, Disable or Modify Tools, Masquerade Task or Service, Local Account, Security Software Discovery, Mshta, Windows Management Instrumentation, Scheduled Transfer, Uncommonly Used Port, System Information Discovery, Standard Encoding, External Proxy, Dynamic Data Exchange, PowerShell, System Network Configuration Discovery, Commonly Used Port, Data from Local System, Scheduled Task, Asymmetric Cryptography, Command Obfuscation, File Deletion, Visual Basic, JavaScript, Ingress Tool Transfer, Screen Capture, Binary Padding, Process Discovery
S1035 Small Sieve (Citation: DHS CISA AA22-055A MuddyWater February 2022) (Citation: GRAMDOOR) (Citation: Mandiant UNC3313 Feb 2022) (Citation: NCSC GCHQ Small Sieve Jan 2022) Windows Command Shell, Ingress Tool Transfer, Non-Standard Encoding, Execution Guardrails, System Network Configuration Discovery, Asymmetric Cryptography, Python, Registry Run Keys / Startup Folder, Match Legitimate Name or Location, Obfuscated Files or Information, System Owner/User Discovery, Bidirectional Communication, Web Protocols

References

  1. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  2. Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
  3. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  4. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  5. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  6. Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
  7. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  8. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  9. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  10. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  11. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  12. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  13. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  14. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  15. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  16. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  17. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  18. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  19. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  20. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.