Iranian Hacking Group MuddyWater targeting Turkish Hospitals! 😠 Using Malicious PDF and XLS files to execute PowerShell Scripts

Cisco Talos reports that the Iranian-backed hacking group MuddyWater AKA MERCURY AKA Static Kitten has been caught on another hacking campaign this time targeting Turkish hospitals 😡 and other government departments in Turkey. The campaign used malicious PDF and XLS files with embedded VBA macros. These macros contain VBA and PowerShell destructive scripts that run and allow MuddyWater to access the victim system via C2.😤😤

Another high profile target of this MuddyWater campaign was Tubitak which is the Scientific and technological research council in Turkey. PDFs and XLS files were hosted on a domain named snapfile.org and has been social engineered to lure victims in like example below 

Example Malicious PDF file MuddyWater attack victims with 

Malicious files were also named as legitimate files in order to masquerade Turkish Health Department 

Malicious XLS files posted with Fake names by MuddyWater

Embedded VBA and PowerShell scripts are then executed in file which will download other PowerShell modules and infect victims system. VBA macros all had a registry key included too. VBA and first PowerShell script will then download a 2nd PowerShell Script that will give MuddyWater C2 capability 

Malicious PowerShell Script

Talos were able to know MuddyWater was behind this attack due to sloppy behavior by the group. One of IP Addresses used for C2 server was used in January 2021 by MuddyWater. They are also using tracking tokens from Canary Tokens to see how many systems are affected. They also need to use a LOLBin script to be able to execute PowerShell script. 

Turkey has been an Ally to this regime supporting Hamas! and now they target a Hospital? This extent of Evil in this regime knows no bounds!! 👺👺👺