Campaigns
Operation Olalampo: MuddyWater Escalates Cyber-Espionage Across the MENA Region with Multi-Stage Malware Arsenal

Operation Olalampo: MuddyWater Escalates Cyber-Espionage Across the MENA Region with Multi-Stage Malware Arsenal

APTEspionageExfiltration
This campaign involves sophisticated spear-phishing attacks. Adversaries aim to establish persistent access and exfiltrate sensitive data. It primarily targets government and defense sectors.

Indicators of Compromise

codefusiontech.org
promoverse.org
miniquest.org
jerusalemsolutions.com

APT Groups1

MuddyWaterIR

Summary of Actor:MuddyWater is a sophisticated threat actor group believed to be operating out of Iran. They have been known to conduct espionage campaigns primarily targeting Middle Eastern nations and academic institutions. This group has been active since around 2017 and often uses custom malware and spear-phishing techniques. General Features:MuddyWater is known to use sophisticated social engineering techniques and custom malware. Their campaigns often focus on credential harvesting and lateral movement within targeted networks. They are adept at evading detection through obfuscation and encryption of their malware. Related Other Groups: SeedWorm,TEMP.Zagros Indicators of Attack (IoA): Spear-phishing emails with malicious attachments Use of PowerShell scripts for malware deployment Credential harvesting through phishing websites Recent Activities and Trends: Latest Campaigns : MuddyWater has recently been associated with campaigns targeting governmental entities in the Middle East, leveraging COVID-19 themed phishing lures. Emerging Trends : An increased use of cloud storage services for malware hosting and growing sophistication in their spear-phishing tactics to bypass email security solutions.

ATK51Boggy SerpensCOBALT ULSTEREarth VetalaG0069MERCURYMango SandstormSeedwormStatic KittenTA450TEMP.Zagros

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

ID

Name

Analytic ID

Analytic Description

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get a listing of local system or domain accounts, network configurations, or scheduled tasks.

DS0009

Process

Process Creation

Monitor for newly constructed processes and/or command-lines that can be used to execute malicious payloads, inject code, or clear logs.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections or uncommon data flows that may indicate command and control communication or encrypted channels.

DS0022

File

File Creation

Monitor for newly constructed or modified files that may indicate masquerading, log deletion, or obfuscation attempts.

DS0028

Logon Session

Logon Session Creation

Monitor for valid accounts being used at unusual times, from unusual systems, or authenticating to systems they do not normally access.

DS0003

Scheduled Job

Scheduled Job Creation

Monitor for the creation of new scheduled jobs/tasks via command-line or API that may be used for persistence or execution.

DS0012

Script

Script Execution

Monitor for the execution of scripts (e.g., PowerShell, VBScript) that may be used to execute payloads or perform discovery operations.

DS0011

Module

Module Load

Monitor for modules (DLLs) loaded by processes, especially those that may be injected into legitimate processes or used for API hooking.

Observed Countries3

DE (858)
KP (252)
US (756)