Security researchers have identified a new spear-phishing campaign by the Iranian threat actor MuddyWater, deploying a previously unseen Rust-based implant dubbed “RustyWater.”
Campaign Details
Targeted sectors:
- Diplomatic entities
- Maritime organizations
- Financial institutions
- Telecommunications providers
Geographic focus: Middle East region
Attack Chain
- Initial access: Spear-phishing emails with malicious Word documents
- Social engineering: Icon spoofing to appear as legitimate files
- Execution: Victims instructed to “enable content” triggering VBA macro
- Payload delivery: Macro deploys RustyWater implant
RustyWater Implant
The new Rust-based malware represents a significant upgrade to MuddyWater’s traditional toolkit:
Capabilities:
- Systematic information collection from target machines
- Persistence mechanisms
- Command and control communication
- Data exfiltration
Why Rust?
- Cross-platform compatibility
- Memory safety reducing crashes
- Harder to reverse engineer
- Growing trend among APT groups
MuddyWater Background
MuddyWater (also known as MERCURY, Static Kitten, and Seedworm) is an Iranian APT group active since at least 2017. The group primarily conducts:
- Cyber espionage operations
- Intelligence gathering on regional adversaries
- Targeting of government and critical infrastructure
Indicators of Compromise
Organizations in targeted sectors should:
- Block macro execution in documents from external sources
- Monitor for suspicious VBA activity in Office applications
- Implement application whitelisting
- Review network traffic for unusual C2 patterns
- Update endpoint detection signatures
Contact threat intelligence providers for specific IoCs related to this campaign.