The Iranian nation-state threat group known as MuddyWater has launched a new, targeted campaign across the Middle East and North Africa (MENA) region, utilizing a previously compromised email account to distribute the Phoenix backdoor. This sophisticated operation has infiltrated over 100 organizations, with the vast majority of targets—more than three-fourths—being high-value entities such as embassies, diplomatic missions, foreign affairs ministries, and consulates, followed by international organizations and telecommunications firms. Cybersecurity firm Group-IB, which documented the campaign, assesses the ultimate goal is to facilitate intelligence gathering by infiltrating these critical organizations.
MuddyWater accessed the compromised mailbox through NordVPN, a legitimate service the threat actor is abusing, and then exploited it to send phishing emails that mimicked authentic correspondence. Security researchers noted that by leveraging the trust and authority inherent in such communications, the campaign significantly increased its chances of tricking recipients into opening the malicious attachments. The attack chain begins with the distribution of weaponized Microsoft Word documents that prompt the recipients to enable macros in order to view the content. Enabling this feature executes malicious Visual Basic for Application (VBA) code, which then facilitates the deployment of Version 4 of the Phoenix backdoor.
The Phoenix backdoor, which is a lightweight variant of the Python-based BugSleep implant previously linked to MuddyWater, is deployed via a loader called FakeUpdate. This loader is decoded, written to the disk by the VBA dropper, and contains the Advanced Encryption Standard (AES)-encrypted Phoenix payload. Two variants of the backdoor have been observed, with both Version 3 and Version 4 offering capabilities essential for espionage, including gathering system information, establishing persistence, launching an interactive shell, and uploading or downloading files. MuddyWater, which is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2017 under various aliases.
Analysis of the attacker’s command-and-control (C2) server also revealed that it was hosting remote monitoring and management (RMM) utilities alongside a custom web browser credential stealer designed to target popular browsers such as Brave, Google Chrome, Microsoft Edge, and Opera. This suggests the likely use of these tools in the overall operation. The deployment of RMM software, which can be easily used for legitimate purposes, aligns with MuddyWater’s established history of distributing remote access software through phishing campaigns over the years to maintain covert access.
In summary, the researchers concluded that by deploying updated malware variants like the Phoenix v4 backdoor and the FakeUpdate injector, as well as integrating custom credential-stealing tools with legitimate commercial RMM utilities like PDQ and Action1, MuddyWater has demonstrated an enhanced ability to blend custom code with commercial tools for improved stealth and persistence. This strategy allows the threat actor to maintain a low profile while successfully executing its intelligence-gathering mission against high-value targets across the MENA region.
Reference:
