The Iranian threat actor known as MuddyWater is believed to have engaged in spear-phishing campaigns targeting diplomatic, maritime, financial, and communications institutions in the Middle East using a Rust-based implant known by the codename RustyWater.
“The campaign uses icon spoofing and malicious Word documents to deliver a Rust-based implant capable of asynchronous C2, anti-analytics, registry persistence, and modular post-compromise enhancements,” CloudSEK resetter Prajwal Awasthi said in a report published this week.
The latest developments reflect the continued evolution of MuddyWater’s tradecraft, slowly but steadily reducing its reliance on legitimate remote access software as a post-exploitation tool in favor of a diverse malware arsenal consisting of tools such as Phoenix, UDPGangster, BugSleep (aka MuddyRot), and MuddyViper.
The hacker group, also tracked as Mango Sandstorm, Static Kitten, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It has been in operation since at least 2017.
The attack chain to distribute RustyWater is very simple. Spear phishing emails disguised as cybersecurity guidelines are delivered as Microsoft Word documents. Opening this document instructs the victim to “enable content,” which activates the execution of a malicious VBA macro responsible for deploying the Rust implant binary.
RustyWater, also known as Archer RAT and RUSTRIC, collects information on victim machines, detects installed security software, sets persistence using Windows registry keys, and establishes a connection with a command and control (C2) server (‘nomercys.it’).[.]com”) to facilitate file operations and command execution.
Notably, the use of RUSTRIC was reported late last month by Seqrite Labs as part of an attack targeting information technology (IT), managed service provider (MSP), human resources, and software development companies in Israel. This activity is being tracked by a cybersecurity firm under the names UNG0801 and Operation IconCat.
“Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations,” CloudSEK said. “The introduction of Rust-based implants represents a remarkable tool evolution toward more structured, modular, and low-noise RAT capabilities.”
Source link
