Revisiting the Past: Iranian Hackers Take Advantage of Macros

An Iranian state-sponsored hacking group, MuddyWater, is reportedly reviving its tactics by incorporating Microsoft Office documents with malicious macros into its attack methods. This shift marks a return to older hacking techniques that have long been favored by cybercriminals. The group’s operations generally begin with phishing emails, a common initial access strategy among Iranian threat actors, heavily reliant on social engineering to gain entry into targeted systems.

Recent reports from researchers at Group-IB suggest that MuddyWater has significantly updated its tools and methods, including the adoption of bulletproof hosting services and more tailored malware for command-and-control purposes. One of the notable shifts has been the re-emphasis on Microsoft macros, previously a staple in their toolkit. U.S. intelligence agencies attributed MuddyWater’s activities to Iran’s Ministry of Intelligence and Security in 2022, affirming its involvement in numerous cyber-espionage campaigns since at least 2017.

Mac malware has become somewhat clichéd in the hacker community, as attackers misutilize Visual Basic for Applications (VBA) within Office documents to execute harmful scripts. While Microsoft has attempted to bolster protections against macro abuse, including blocking macros by default as of July 2022, many users remain unaware of the associated risks and can easily bypass these defenses. Group-IB recommends that organizations restrict macro execution except for those with digital signatures, where absolutely necessary.

The samples of MuddyWater’s malicious documents revealed by Group-IB feature decoy text and embedded VBA macros intended to deploy the Phoenix backdoor. This return to using macros for initial exploitation indicates a departure from the group’s previous reliance on remote monitoring and management (RMM) tools. Over the past couple of years, MuddyWater has frequently compromised email accounts and associated them with RMM accounts, peaking in volume in 2024.

Dramatically, the group’s movement away from RMM tools is noteworthy. Initially, MuddyWater had utilized legitimate, signed RMM applications as part of its attacks, embedding links in phishing emails to entice victims into downloading malicious software. Legitimate products used in this manner included popular tools like Atera and N-Able, which allowed attackers to surveil networks and exfiltrate sensitive data.

In addition to RMM tools, these attackers have access to a wide array of malware, including variants like DarkBeatC2 and PhonyC2. Group-IB noted that the extensive resources at their disposal have enabled them to employ commercial services such as Amazon Web Services and Cloudflare, which are leveraged to obscure their infrastructure and evade detection.

The attackers’ reliance on bulletproof hosting services—platforms operating in jurisdictions that ignore Western takedown requests—provides them with enhanced anonymity. This allows MuddyWater to conduct operations with reduced risk of detection. Group-IB also indicated that the group occasionally limits its command-and-control servers’ uptime to further conceal its activities.

Furthermore, the sophistication of MuddyWater’s tactics has escalated with the deployment of advanced malware such as BugSleep and Stealth Cache to facilitate data transfer between compromised systems. A 2022 Cisco Talos report identified the use of ransomware as a tactic employed by MuddyWater to either destroy evidence of intrusions or disrupt operations.

In June, U.S. officials cautioned that Iranian cyber actors remain a significant threat to critical infrastructure, especially following the uptick in hostilities between Iran and Western nations. This concern underscores the evolving landscape of cyber threats and the imperative for organizations to bolster their defenses against such state-sponsored cybercrime activities.

In summary, MuddyWater’s renewed tactics, including the return to malicious macros and the incorporation of advanced malware tools, indicate an adaptive threat landscape that requires ongoing vigilance from businesses and cybersecurity professionals alike.