The Iranian threat actor known as MuddyWater has conducted a spear-phishing campaign that targets diplomatic, maritime, financial, and telecom entities across the Middle East using a Rust-based implant codenamed RustyWater.
According to CloudSEK resetter Prajwal Awasthi, “The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion,” he said in a report published this week.
More broadly, this latest development highlights the continued evolution of MuddyWater’s tradecraft. Over time, the group has gradually—but steadily—reduced its reliance on legitimate remote access software for post-exploitation activities. Instead, it now favors a diverse custom malware arsenal that includes tools such as Phoenix, UDPGangster, BugSleep (aka MuddyRot), and MuddyViper.
Security researchers also track the hacking group under the names Mango Sandstorm, Static Kitten, and TA450. Analysts assess the group to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), and evidence shows that it has remained operational since at least 2017.
RustyWater Attack Chain
Meanwhile, the attack chains distributing RustyWater follow a fairly straightforward pattern. The operation begins with spear-phishing emails that masquerade as cybersecurity guidelines and arrive with a Microsoft Word document attached. Once opened, the document instructs the victim to “Enable content,” which triggers the execution of a malicious VBA macro responsible for deploying the Rust implant binary.
Also referred t’o as Archer RAT and RUSTRIC, RustyWater collects victim machine information, identifies installed security software, establishes persistence through a Windows Registry key, and connects to a command-and-control (C2) server (“nomercys.it[.]com”) to enable file operations and remote command execution.
Notably, Seqrite Labs flagged the use of RUSTRIC late last month during attacks that targeted Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel. The cybersecurity firm currently tracks this activity under the names UNG0801 and Operation IconCat.
“Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations,” CloudSEK said. “The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.”
Source: TheHackerNews
Read more at Impreza News
