An Iranian threat actor known as Muddywater has been attributed to a spear-phishing campaign targeting diplomatic, maritime, financial and telecommunications entities in the Middle East, codenamed a Rust-based implant. rusty water,
“The campaign uses icon spoofing and malicious Word documents to deliver a Rust-based implosion capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capacity expansion,” CloudSEEK resetter Prajwal Awasthi said in a report published this week.
The latest development reflects the continued evolution of Muddywater’s tradecraft, which has slowly but steadily reduced its reliance on legitimate remote access software as post-exploitation tools in favor of a diverse custom malware arsenal featuring tools like Phoenix, UDPGangster, BugSleep (aka MuddyRot) and MuddyWiper.
This hacking group, also tracked as Mango Sandstorm, Static Kitten and TA450, is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It has been operational since at least 2017.
The attack chains that deliver Rustwater are fairly straightforward: spear-phishing emails masquerading as cybersecurity guidelines are attacked with a Microsoft Word document that, when opened, instructs the victim to “enable content” to activate the execution of a malicious VBA macro that is responsible for deploying the Rust implanted binary.
Also known as ARCHER RAT and RUSTRIC, RustyWater collects victim machine information, detects installed security software, establishes persistence via Windows registry keys, and establishes contact with command-and-control (C2) servers (“nomercys.it[.]com”) to facilitate file operations and command execution.
It is worth noting that the use of Rustrik was flagged late last month by Secrete Labs as part of attacks targeting information technology (IT), managed service providers (MSP), human resources and software development companies in Israel. The activity is being tracked by a cyber security company under the name UNG0801 and Operation IconCat.
“Historically, Muddywater has relied on PowerShell and VBS Loader for initial access and post-compromise operations,” CloudSEEK said. “The introduction of Rust-based implants represents a remarkable tooling evolution toward more structured, modular, and lower noise RAT capabilities.”
