The Iran-linked MuddyWater Advanced Persistent Threat (APT) group has launched a sophisticated spear-phishing campaign targeting critical sectors across the Middle East. This latest offensive leverages weaponized Word documents to deploy a new Rust-based malware, dubbed ‘RustyWater’, signaling a significant shift in the group’s preferred tooling. Researchers have identified RustyWater’s ability to evade common antivirus and endpoint detection and response (EDR) solutions through advanced obfuscation and detection avoidance techniques.
The campaign typically begins with carefully crafted emails impersonating legitimate organizations, designed to elicit trust from recipients. These messages contain malicious Word documents, often disguised as policy updates or cybersecurity advisories. Upon opening, victims are prompted to enable macros, which, when activated, trigger embedded Visual Basic for Applications (VBA) code. This code, according to CloudSEK researchers who first identified the campaign due to unusual threat activity patterns, initiates the infection chain.
MuddyWater’s Evolved Tactics: The RustyWater Toolkit
The malicious Word documents employ a dual-function VBA macro system to deploy the RustyWater payload. The first function, WriteHexToFile, extracts hexadecimal-encoded data hidden within a UserForm control. This data is then converted into binary format and saved as a file named CertificationKit.ini within the ProgramData folder. Subsequently, a second macro function, named love_me_, utilizes ASCII value obfuscation to dynamically construct malicious command strings. This function reconstructs WScript.Shell through character code manipulation and executes the dropped payload via cmd.exe, a technique designed to circumvent static signature-based detection by security software.
RustyWater incorporates multi-layer evasion and persistence mechanisms to maintain its presence on compromised systems and evade security scrutiny. The malware ensures persistence by adding an entry to the Windows Registry startup key. It specifically targets the current user’s Run registry location, creating a new entry that points to the dropped CertificationKit.ini file, ensuring it automatically executes upon system startup. This sophisticated approach allows MuddyWater to maintain a foothold without relying on less robust methods.
Further enhancing its evasion capabilities, RustyWater employs position-independent XOR encryption to obscure all its internal strings, significantly complicating analysis for cybersecurity professionals. Before executing its core functionalities, the malware actively scans the victim’s system for the presence of over 25 distinct antivirus and EDR products. By examining service names, agent file paths, and installation directories, RustyWater identifies deployed security tools. Upon detection, it modifies its behavior to remain dormant and undetectable.
The malware gathers crucial victim information, including the username, computer name, and domain details. This data is then packaged into a JSON format, followed by three layers of encoding: base64 encoding and XOR encryption. This multi-layered obfuscation makes it challenging for network security tools to identify and block the exfiltration of sensitive information. RustyWater leverages the Rust reqwest library for its HTTP communication with command and control (C2) servers. This library provides built-in support for timeouts, connection pooling, and retry logic, ensuring a more resilient communication channel.
To further obscure its network activity, RustyWater introduces random sleep intervals between its communications with the C2 servers. This makes it considerably more difficult for network analysts to discern malicious traffic patterns from legitimate network noise. The MuddyWater group’s adoption of Rust for RustyWater represents a significant technological advancement, allowing for more efficient and potent malware development that is inherently harder to detect.
The implications of this campaign are significant, particularly given the targeted sectors including diplomatic, maritime, financial, and telecommunication industries. The ability of RustyWater to bypass standard security defenses poses a substantial risk to operational integrity and data security for organizations in the Middle East. As security researchers continue to analyze RustyWater, further details about its full capabilities and potential future targets are expected to emerge. Organizations are advised to enhance their security awareness training and ensure their endpoint protection solutions are up-to-date to mitigate the risk of falling victim to such sophisticated phishing attempts.