A recent transatlantic joint-security advisory released by law enforcement authorities and cybersecurity agencies shared critical information on a brand-new malware threat.
The malicious software is being deployed by a hacking group known as MuddyWater, which is unleashing attacks aimed at critical infrastructure around the world. The threat actors are notoriously backed by the Iranian intelligence agencies.
A partnership to stamp out cybercrime
News of the all-new malware strain was recently disclosed by a statement phrased by Britain’s National Cyber Security Centre (NCSC) supported by a long list of American agencies including the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF) and the Cybersecurity and Infrastructure Security Agency (CISA).
The statement explained that the MuddyWater hacking gang is now targeting a wide range of both government-based and private-sector organisations across different sectors. These include telecommunications, defence, natural gas and oil, and local government in multiple continents such as Asia, North America, Africa and Europe.
This group utilises numerous malware types—including Canopy (also known as Starwhale), PowGoop, POWERSTATS, and Mori, along with many unknown and undocumented strains – to efficiently release second-stage malware onto compromised systems, enabling backdoor access and helping them perform data exfiltration.
On the list of malware strains detailed by the UK and US agencies, a new Python backdoor was highlighted as a significant risk. The backdoor, nicknamed Small Sieve was employed by MuddyWater threat operators, along with a PowerShell backdoor that was utilised to encrypt C2 server communication channels.
The advisory explained:
“Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS), and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function.”
Hackers backed by Iranian intelligence
The MuddyWater hacker group has been known by many other monikers, including TEMP.Zagros, Earth Vetala, Static Kitten, MERCURY and Seedworm. Believed to have been active for five years or more, it has a reputation for launching focused attacks on organisations in the Middle East, and for constantly upgrading its suite of malware tools.
While relatively new on the cyberthreat landscape, the Iranian-backed threat group is highly active, and targets telecommunication firms, governments, and oil industry organisations.
It has recently expanded its attack profile to include government and defence entities in Southwest and Central Asia, along with public and privately held organisations based in Europe and North America.
In January this year, MuddyWater became officially linked to MOIS (the Ministry of Intelligence and Security of Iran), which is Iran’s foremost government-backed intelligence agency, in a report by the US Cyber Command.
The recent advisory represents the shared commitment of the UK and US to continue to work together as a united force in the war against cybercrime.