The Iranian cybercrime group MuddyWater has carried out a series of attacks on companies and organizations in Turkey and the Arabian Peninsula in order to deploy Trojans for remote access on compromised systems.
According to experts from Cisco Talos, during the malicious campaign, attackers sent phishing emails with infected Microsoft Excel files. As a result of a successful attack, a Trojan for remote access called SloughRAT (also known as Canopy) was installed on the victim’s computer, capable of executing arbitrary code and commands from the command server.
The Microsoft Excel file in the email contains a malicious macro that installs two Windows Script Files (.WSF) format files on the system. One of them acts as a tool for invoking and executing the payload of the next stage. The script is placed in the startup folder of the current user using the VBA macro and ensures persistence when the system is rebooted. The second script is a WSF-based RAT called SloughRAT.
Two additional script-based implants were also discovered, one of which is written in Visual Basic and the other in JavaScript. Both components are designed to download and run malicious commands on a compromised device.
As the researchers suggest, this malicious campaign may be related to the campaign in November 2021, during which Turkish private organizations and government institutions were attacked by PowerShell-based backdoors to steal information.