Details have emerged about a previously undocumented malware campaign undertaken by the Iranian MuddyWater advanced persistent threat (APT) group targeting Turkish private organizations and governmental institutions.
“This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise,” Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a newly published report.
The development comes as the U.S. Cyber Command, earlier this month, linked the APT to the Iranian Ministry of Intelligence and Security (MOIS).
The intrusions, which are believed to have been orchestrated as recently as November 2021, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey (TÜBİTAK), using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites.
These maldocs masqueraded as legitimate documents from the Turkish Health and Interior Ministries, with the attacks starting by executing malicious macros embedded in them to propagate the infection chain and drop PowerShell scripts to the compromised system.
A new addition to the group’s arsenal of tactics, techniques and procedures (TTPs) is the use of canary tokens in the macro code, a mechanism the researchers suspect is being used to track successful infection of targets, thwart analysis, and detect if the payload servers are being blocked at the other end.
Canary tokens, also known as honeytokens, are identifiers embedded in objects like documents, web pages and emails, which, when opened, triggers an alert in the form of an HTTP request, alerting the operator that the object was accessed.
The PowerShell script subsequently downloads and executes the next payload, also a PowerShell script that resides in the metadata of the maldoc, which, in turn, acts as the downloader for a third, unidentified PowerShell code that’s ultimately run on the infected endpoint.