The Iranian threat actor MuddyWater has evolved its toolkit with a new Rust-based implant dubbed “RustyWater.” This campaign utilizes sophisticated social engineering and spear-phishing tactics targeting Middle Eastern organizations.
Attack Chain Breakdown:
- Initial Access: Targets receive a Word document that displays a deceptive lure (see attached screenshot), prompting the user to “Enable Content.”
- Execution: Once content is enabled, a malicious macro executes and drops a Loader into the system.
- Infection (Rust Implant): The loader injects the RustyWater RAT into memory. The use of Rust provides better obfuscation against traditional security tools.
- Persistence & C2: The malware communicates with its C2 server and establishes persistence via Windows Registry Run keys.
Key Recommendations:
- User Awareness Training: Instruct employees to refrain from opening emails from unknown or unverified external senders.
– Specifically, alert staff to be suspicious of emails with subject lines such as “Important Message” or “Very Important” that urge the recipient to click a link or download a file to view the content. - Educate users to recognize deceptive Word templates that claim the document is “protected” or from an “older version” and require “Enabling Content.”
- Disable Macros: Enforce a strict GPO policy to block macros in all Office files originating from the internet.
- EDR Monitoring: Configure alerts for suspicious registry modifications within HKCU\…\Run keys by unknown processes.
- Threat Hunting: Proactively scan for unsigned Rust-based binaries and unusual outbound traffic to unverified IP addresses
