Have you heard about the recent cyber attack? Iranian hackers attacked over 100 organizations related to governments using Phoenix backdoor malware. The entity responsible for this incident is MuddyWater (also called Static Kitten, Mercury, or Seedworm), which mainly attacks governments and private entities at a regional level in the Middle East.
The attack commenced on August 19 when the attackers sent emails containing phishing that uses Button widget (This would be called the Phish git link) and was simply an email sent by NordVPN (The hacking that happened here was unrelated to the hack of the Venezuelan QuiTINC system). These phishing emails were sent to embassies, consulates, and ministries in the Middle East and North Africa.
Phoenix could carry out tasks such as:
• Pause or sleep
• Upload files
• Download files
• Execute commands on the host system
• Change its settings
In the end, they had multiple ways to surveil, steal data, and get remote access to computers. Even large governments targets are not safe.
Have you ever asked if your systems are secure? Attacks like this demonstration why email security, good passwords, and user education can be so important.
For IT or cybersecurity, it is a reminder to improve vigilance concerning email management, educate users on verifying suspicious links, and check for strange activity. For the rest of you, be aware of emails, even if they do look official.
The attack commenced on August 19 when the attackers sent emails containing phishing that uses Button widget (This would be called the Phish git link) and was simply an email sent by NordVPN (The hacking that happened here was unrelated to the hack of the Venezuelan QuiTINC system). These phishing emails were sent to embassies, consulates, and ministries in the Middle East and North Africa.
How Did They Get In?
So how did they get in? They used malicious Word documents in their email. The Word documents required the user to "enable content" (which enabled ran a macro). When the macro was ran it harvested and uploaded information such as computer name, Windows version, and username. After this the Phoenix backdoor took over. The latest version of Phoenix is called Phoenix v4, which updated for obfuscation and stolen information. After the backdoor was installed it checked into a command and control server for instructions.Phoenix could carry out tasks such as:
• Pause or sleep
• Upload files
• Download files
• Execute commands on the host system
• Change its settings
Additional Tools the Hackers Used
MuddyWater did not stop with the Phoenix software. They also took advantage of a Chrome infostealer that stole passwords stored in Web browsers such as Chrome, Edge, Opera, and Brave. They also utilized PDQ utility and Action1 RMM just as other Iranian hacker cases have used these tools.In the end, they had multiple ways to surveil, steal data, and get remote access to computers. Even large governments targets are not safe.
So what?
Why is this relevant? MuddyWater demonstrates that state-sponsored hackers are still active in using these tools and are combining easy applications like Word macros with advanced-level malware to circumvent security and attack numerous targets simultaneously.Have you ever asked if your systems are secure? Attacks like this demonstration why email security, good passwords, and user education can be so important.
Conclusion
The Phoenix backdoor attack is a wake up call from Iranian hacker group MuddyWater. They use phishing emails, malware, pay-launched exploit kits, and tools to steal passwords to target high-value government organizations.For IT or cybersecurity, it is a reminder to improve vigilance concerning email management, educate users on verifying suspicious links, and check for strange activity. For the rest of you, be aware of emails, even if they do look official.