Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables

MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.

A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins).

Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.

Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.

Read more…
Source: Talos