06 June 19, 12:59
Quote:The Iranian MuddyWater cyber-espionage group added new attack vectors to use as part of hacking campaigns targeting telecommunication and governmental organizations according to an analysis from the Clearsky Security threat intelligence outfit.
This happened despite the advanced persistent threat (APT) group — or government-backed hacking group — having screenshots of their server backends and one of their command-and-control (C2) server's codebase leaked via a Telegram channel during early-May.
MuddyWatter actors have supplemented their tactics, techniques, and procedures (TTPs) with new decoy macro-powered Microsoft Word documents that drop payloads via compromised servers and new documents designed to leverage the tried-and-true CVE-2017-0199 also known as Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.
The documents which deliver VBA macros to the targets' computers will download a second stage malware payload camouflaged as JPG files from hacked servers located in the same countries as the potential victims.
The ones designed to exploit CVE-2017-0199 "were identified by only three antivirus engines. This is in stark comparison to a previous attack we reported on, in which the documents were identified 32 times," says the Clearsky Security report.
SOURCE: https://www.bleepingcomputer.com/news/se...r-arsenal/