Group: MuddyWater, TEMP.Zagros

From enterprise
Jump to: navigation, search
MuddyWater, TEMP.Zagros
ID G0069
Aliases MuddyWater, TEMP.Zagros

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to FIN7, but is believed to be a distinct group motivated by espionage.1

Alias Descriptions

  • MuddyWater - 1
  • TEMP.Zagros - 2

Techniques Used

  • Spearphishing Attachment - MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.12
  • Obfuscated Files or Information - MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework.13 The group also used files with base64 encoded PowerShell commands.2
  • CMSTP - MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.2
  • Masquerading - MuddyWater has used filenames and Registry key names associated with Windows Defender.2
  • PowerShell - MuddyWater has used PowerShell for execution.2