The chain of attacks begins with sending phishing e-mails containing malicious attachments to the recipients to distribute the SloughRAT (Canopy) trojan, which is responsible for executing commands received from command and control servers (C&C). The malicious document sent by the phishing e-mail contains a malicious macro that drops two WSF (Windows Script File) files on the target system. One of these scripts is used to execute the next phase and is placed in the current user’s Startup folder by a VBA macro to ensure persistence between reboots. The second script contains the “SloughRAT” malware, which will be used to execute arbitrary commands on the target system. This RAT consists of hidden Visual Basic and JavaScript code. After a series of malicious activities are carried out through malware, the data and results captured are transferred to C&C servers.
It has been determined that the campaign is a continuation of the November 2021 MuddyWater campaign, which targets Turkish private and government institutions with PowerShell-based backdoors for information gathering and espionage activities. To not be the target of this and similar malware campaigns, it is important to ignore e-mail attachments and links from unknown people, not to download files or programs from unknown sources, and conduct attack surface analyses at regular intervals. Also, It is recommended to raise awareness of institution/organization personnel against possible phishing / social engineering attacks and block detected IoC findings related to the campaign from security devices in use.