MuddyWater APT Targets CFOs via OpenSSH; Enables RDP and Scheduled Tasks

A sophisticated spear-phishing campaign attributed to the Iranian-linked APT group MuddyWater is actively compromising CFOs and finance executives across Europe, North America, South America, Africa, and Asia.

The attackers impersonate recruiters from Rothschild & Co, deploying Firebase-hosted phishing pages that incorporate custom math-based CAPTCHA challenges to evade detection and lend legitimacy.

These lures lead victims to download malicious ZIP archives containing VBS scripts, which initiate a multi-stage infection chain.

Evolving Phishing Tactics

The payloads abuse legitimate remote-access tools like NetBird and OpenSSH to establish persistent control, enabling remote desktop protocol (RDP) access and automated scheduled tasks for long-term system infiltration.

Investigations reveal infrastructure shifts from IP 192.3.95.152 to 198.46.178.135, with varying payload paths such as /job/ and /scan/ within Firebase projects, indicating adaptive evasion techniques.

The attack vector begins with socially engineered emails directing targets to phishing domains like googl-6c11f.firebaseapp.com, where a CryptoJS-encrypted redirect, unlocked via a simple arithmetic gate, forwards users to secondary web.app sites hosting fake Google Drive interfaces.

Upon interaction, victims receive ZIP files disguised as PDFs, embedding VBS downloaders that fetch secondary payloads from attacker-controlled servers.

These scripts silently install NetBird and OpenSSH, configure auto-start services, and create hidden local administrator accounts with credentials like “user / Bs@202122”.

Persistence is reinforced through registry modifications to disable password expiration, RDP enablement with firewall adjustments, and scheduled tasks that restart NetBird post-boot, while removing desktop shortcuts to conceal the backdoor.

Static analysis of artifacts, including cis.vbs and trm.zip, shows consistent tactics, techniques, and procedures (TTPs) overlapping with prior MuddyWater operations, such as the abuse of AteraAgent.exe in related droppers.

Attribution Strengthened

Pivoting on distinctive patterns, such as French-language math challenges and AES-encrypted redirects, uncovered additional Firebase domains like cloud-233f9.web.app and cloud-ed980.firebaseapp.com, all employing similar phishing kits with hardcoded passphrases for client-side decryption.

These lead to malicious redirects, including my1cloudlive.com and web-16fe.app, expanding the campaign’s scope.

Cross-referencing with threat intelligence feeds, including Maltrail and VirusTotal, links the infrastructure to MuddyWater, notably through reused IPs hosting Gophish toolkits and open directories mirroring payload structures.

For instance, my-sharepoint-inc.com exposed VBS droppers deploying AteraAgent, aligning with documented MuddyWater campaigns since March 2024.

This evolution suggests a resourceful adversary adapting to detection, shifting command-and-control (C2) hosts while retaining core elements like identical NetBird setup keys (E48E4A70-4CF4-4A77-946B-C8E50A60855A) and service names.

Mitigation requires blocking associated IOCs at network perimeters, auditing tool installations via application allowlisting, and deploying endpoint detection rules for VBS execution, suspicious account creation, and service anomalies.

Proactive infrastructure mapping using tools like HuntSQL can uncover these threats early, preventing escalation to data exfiltration or prolonged compromise.

As MuddyWater refines its methods, organizations must prioritize advanced phishing defenses and sandboxing to counter the abuse of legitimate software in targeted intrusions.

Key Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!