MuddyWater: From Canaries to Turkeys - Evolution of APT Campaigns 2021-2022

Explore the evolution and tactics of the Iranian-based threat actor MuddyWater in this 27-minute conference talk from NorthSec 2022. Delve into three distinct campaigns targeting Turkish governmental organizations, Armenia, Pakistan, and countries in the Arabian peninsula. Examine the group's use of Canarytokens for payload activation, mixed-stage payload delivery methods, and the introduction of a new payload builder. Analyze the group's flexibility in employing various techniques, including VBA macros, double extension executables, and WSF-based RATs. Gain insights into MuddyWater's timeline, tool capabilities, and the possibility of it being a collective of groups sharing tools and techniques. Understand the implications of the U.S. Cyber Command's attribution of MuddyWater to Iran's Ministry of Intelligence Services (MOIS) and how it differs from previous beliefs.