"The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering, Singaporean cybersecurity company Group-IB said in a technical report published today."
"The attack chain essentially involves the threat actor distributing weaponized Microsoft Word documents that, when opened, prompt the email recipients to enable macros in order to view the content. Once the unsuspecting user enables the feature, the document proceeds to execute malicious Visual Basic for Application (VBA) code, resulting in the deployment of version 4 of the Phoenix backdoor. The backdoor is launched by means of a loader called FakeUpdate that's decoded and written to disk by the VBA dropper."
The Iranian group MuddyWater conducted a campaign using a compromised email account accessed through NordVPN to distribute the Phoenix backdoor across the MENA region, affecting over 100 government entities. Targets were primarily embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms. The attack used weaponized Microsoft Word documents prompting users to enable macros, which executed VBA code deploying a FakeUpdate loader that decodes an AES-encrypted Phoenix payload, resulting in the deployment of version 4 of the Phoenix backdoor. The operation aims to infiltrate high-value targets and collect intelligence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]