Operation Quicksand: MuddyWater Group Dipping its Toes into Ransomware Deployments

Operation Quicksand: MuddyWater Group Dipping its Toes into Ransomware Deployments

MuddyWater, a known Iranian state-sponsored hacking group, has been deploying ransomware to hide intrusions in its recent attacks. Recently, it was found leveraging a new tool for its attack campaigns.

Latest discovery


ClearSky and Profero researchers have released a report linking a recent campaign with the MuddyWater group.


After close analysis, the ClearSky researchers attributed Operation Quicksand to the MuddyWater group.
The campaign mainly targeted many prominent organizations in Israel and other countries around the world.
This report links the MuddyWater group to the PowGoop downloader. In September, Palo Alto had published a report about the PowGoop variant of Thanos ransomware without attributing it to any known threat actor.

Primary attack vectors


The MuddyWater attack patterns included two primary attack vectors during their potentially destructive attacks.


Firstly, MuddyWater used phishing emails to send a malicious decoy document (PDF or Excel) that would download and install a malware strain (PowGoop) from the hackers' servers.
In the second scenario, MuddyWater relied on the exploitation of a remote code execution vulnerability (CVE-2020-0688) in unpatched Microsoft Exchange software and deploying the same payload via .aspx file (WebShell).
Additionally, MuddyWater used a few malicious files, as well as legitimate files, along with self-developed tools.

Last MuddyWater attack


Recently, the MuddyWatter group was found exploiting the Zerologon vulnerability (CVE-2020-1472) to take over domain controllers (DC) servers, the centerpieces of most enterprise networks that can enable intruders to gain full control over their targets.

Worth noting


MuddyWater has raised its level of sophistication over the past few years. Mainly ..