Iran-Linked MuddyWater Active: New Android Spyware Targets Global Users
Iran-linked cyberespionage group MuddyWater is actively targeting global organizations across various sectors and regions. The group, also known as APT33 and UNC4841, has been deploying new variants of its Android spyware, DCHSpy, with enhanced capabilities to steal data from targets.
MuddyWater's recent campaigns have focused on Android users, with the group leveraging new DCHSpy variants to target individuals in Asia, Africa, Europe, and North America. The spyware is capable of stealing contacts, messages, audio, and WhatsApp data from infected devices. In addition to DCHSpy, MuddyWater has been observed using other tools such as Metasploit, AndroRat, and AhMyth in its campaigns.
The group has demonstrated its adaptability by adding features to DCHSpy, allowing it to scan files and steal WhatsApp data. MuddyWater has also been found using a fake VPN app posing as Starlink to gain access to targets' devices. The continued development and usage of DCHSpy indicate that Iran is actively engaged in surveillance, particularly during times of conflict.
Researchers at Lookout have tracked 17 malware families from 10 different Iranian APTs over the past decade, including BouldSpy, which is used by Iran's law enforcement. MuddyWater's tactics, such as using fake VPN apps and targeting specific sectors, are also seen in other Iranian APTs like SandStrike.
MuddyWater's recent activities highlight the group's ongoing efforts to target organizations worldwide, with a focus on Android users. The group's use of new DCHSpy variants and other tools, along with its adaptability and persistence, underscores the need for robust cybersecurity measures to protect against Iranian APTs. As the conflict between Iran and Israel continues, it is likely that MuddyWater and other Iranian APTs will remain active in their cyberespionage efforts.