What is the MuddyWater ?

Muddywater that first seen in IRAQ and SAUDI ARABIA in 2017 is a relatively new APT. Researchers recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia.These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.

The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, researchers were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

The table below you can see the Examples of the lure documents observed in the MuddyWater attacks. Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.

Month File Name or Decoy Document Theme Suspected Target Region
Nov 2017 The NSATelenor.doc UnknownPakistan
Oct 2017 Circulars.docdollar.doc

Pakistan Federal Investigation Agency

CV of Middle Eastern Civil Servant



Sep 2017 Iraq National Intelligence ServiceKaspersky Security solution 2017.doc Iraq
Aug 2017 Arab Emirate سری.docmIraq Commission of Integrity Arab Emirates
Jul 2017 Requirements of the Sago.docCommIT-Document.doc

Confidential letters.doc

Saudi ArabiaArab Emirates


Jun 2017 Iraq Kurdistan Regional GovernmentRFP_VOIP.doc Iraq
May 2017 RFP.docRequirement.doc

Iraq Kurdistan Regional Government

Mar 2017 court.doc Georgia
Feb 2017 CERT-Audit-20172802-GEO.xls Georgia


Recommendations for organizations

Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.

The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those related to improper system configurations or errors in proprietary applications. Organizations are also recommended to implement the following steps for an enhanced level of protection at their premises.

  • Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.
  • Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.
  • A whitelisting solution to prevent certain process child-parent execution hierarchies.



The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near future.

In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

  • Educate generic staff to be able to distinguish malicious behavior like phishing links.
  • Educate information security staff to have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
  • Make sure enterprise-grade patch management processes are well established and executed.
  • High-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely to ever cease.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.