The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

“While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant,” Deep Instinct security researcher Simon Kenin said in a technical report published last week.

MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.

Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.

The latest attack campaign, details of which were also previously revealed by Proofpoint last month, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software.

One of the URLs in question is “kinneretacil.egnyte[.]com,” where the subdomain “kinneretacil” refers to “kinneret.ac.il,” an educational institution in Israel and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country.

Lord Nemesis is suspected of being a “faketivist” operation directed against Israel. It’s also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup within Mint Sandstorm that’s backed by Iran’s Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury in September 2022.

“This is important because if ‘Lord Nemesis’ were able to breach Rashim’s email system, they might have breached the email systems of Rashim’s customers using the admin accounts that now we know they obtained from ‘Rashim,'” Kenin explained.

The web of connections has raised the possibility that MuddyWater may have used the email account associated with Kinneret to distribute the links, thereby giving the messages an illusion of trust and tricking the recipients into clicking them.

“While not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration between IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals,” Kenin further added.

The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 that are responsible for managing the infected endpoints. This is accomplished by means of PowerShell code designed to establish contact with the C2 server upon gaining initial access through other means.

According to independent findings from Palo Alto Networks Unit 42, the threat actor has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain.

The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework. The cybersecurity firm said the technique was put to use in a cyber attack aimed at an unnamed Middle East target.

Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via the spear-phishing email and leveraging DLL side-loading to execute a malicious library.

A successful contact allows the infected host to receive PowerShell responses that, for its part, fetches two more PowerShell scripts from the same server.

While one of the scripts is designed to read the contents of a file named “C:\ProgramData\SysInt.log” and transmit them to the C2 server via an HTTP POST request, the second script periodically polls the server to obtain additional payloads and writes the results of the execution to “SysInt.log.” The exact nature of the next-stage payload is currently unknown.

“This framework is similar to the previous C2 frameworks used by MuddyWater,” Kenin said. “PowerShell remains their ‘bread and butter.'”

Curious Serpens Targets Defense Sector with FalseFont Backdoor

The disclosure comes as Unit 42 unpacked the inner workings of a backdoor called FalseFont that’s used by an Iranian threat actor known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the aerospace and defense sectors.

“The threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor,” security researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing FalseFont as “highly targeted.”

Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format.

The implant, besides its graphical user interface (GUI) component for user inputs, also stealthily activates a second component in the background that establishes persistence on the system, gathers system metadata, and executes commands and processes sent from the C2 server.

Other features of FalseFont include the ability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.

Mar 02, 2024NewsroomCybercrime / Social Engineering

The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities.

More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York.

Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021.

“As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said U.S. Attorney Damian Williams for the Southern District of New York.

The spear-phishing campaigns were managed via a custom application that made it possible for Nasab and his co-conspirators to organize and deploy their attacks.

In one instance, the threat actors breached an administrator email account belonging to an unnamed defense contractor, subsequently leveraging the access to create rogue accounts and send out spear-phishing emails to employees of a different defense contractor and a consulting firm.

Outside of spear-phishing attacks, the conspirators have masqueraded as other people, typically women, to obtain the confidence of victims and deploy malware onto victim computers.

Nasab, while working for the front company, is believed to be responsible for procuring infrastructure utilized in the campaign by using the stolen identity of a real person in order to register a server and email accounts.

He has been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud, and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.

While Nasab remains at large, the U.S. State Department has announced monetary rewards of up to $10 million for information leading to the identification or location of Nasab.

Mahak Rayan Afraz (MRA) was first outed by Meta in July 2021 as a Tehran-based firm with ties to the Islamic Revolutionary Guard Corps (IRGC), Iran’s armed force charged with defending the country’s revolutionary regime.

The activity cluster, which also overlaps with Tortoiseshell, has been previously linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.

The development comes as German law enforcement announced the takedown of Crimemarket, a German-speaking illicit trading platform with over 180,000 users that specialized in the sale of narcotics, weapons, money laundering, and other criminal services.

Six people have been arrested in connection with the operation, counting a 23-year-old considered the main suspect, with authorities also seizing mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash.

Feb 19, 2024NewsroomMalware / Cyber Espionage

The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal.

Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists.

“CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content,” Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash said.

Last month, Microsoft revealed that high-profile individuals working on Middle Eastern affairs have been targeted by the adversary to deploy malware such as MischiefTut and MediaPl (aka EYEGLASS) that are capable of harvesting sensitive information from a compromised host.

The group, assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has also distributed several other backdoors such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year, emphasizing its determination to continue its cyber onslaught, adapting its tactics and methods despite public exposure.

The phishing attacks observed between September and October 2023 involved the Charming Kitten operators posing as the Rasanah International Institute for Iranian Studies (IIIS) to initiate and build trust with targets.

The phishing attempts are also characterized by the use of compromised email accounts belonging to legitimate contacts and multiple threat-actor-controlled email accounts, the latter of which is called Multi-Persona Impersonation (MPI).

The attack chains typically employ RAR archives containing LNK files as a starting point to distribute malware, with the messages urging prospective targets to join a fake webinar about topics that are of interest to them. One such multi-stage infection sequence has been observed to deploy BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, is capable of gathering basic system information, remotely executing commands relayed from a command-and-control (C2) server, and downloading and displaying a decoy PDF file.

What’s more, some of these phishing attacks are engineered to serve different backdoors depending on the machine’s operating system. While Windows victims are compromised with POWERLESS, Apple macOS victims are targeted with an infection chain culminating in NokNok via a functional VPN application that’s laced with malware.

“This threat actor is highly committed to conducting surveillance on their targets in order to determine how best to manipulate them and deploy malware,” the researchers said. “Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts.”

The disclosure comes as Recorded Future uncovered IRGC’s targeting of Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries like Iraq, Syria, and Lebanon.

The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to conceal the sponsoring entity.

They include Ayandeh Sazan Sepher Aria (suspected to be associated with Emennet Pasargad), DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and the Parnian Telecommunication and Electronic Company.

“Iranian contracting companies are established and run by a tight-knit network of personas, who, in some cases, represent the contractors as board members,” the company said. “The individuals are closely associated with the IRGC, and in some cases, are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation).”

Feb 03, 2024NewsroomIntelligence Agency / Cyber Security

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.

The officials include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations.

The Treasury Department said it’s holding these individuals responsible for carrying out “cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company.”

In late November 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that the Municipal Water Authority of Aliquippa in western Pennsylvania was targeted by Iranian threat actors by exploiting Unitronics PLCs.

The attack was attributed to an Iranian hacktivist persona dubbed Cyber Av3ngers, which came to the forefront in the aftermath of the Israel-Hamas conflict, staging destructive attacks against entities in Israel and the U.S.

The group, which has been active since 2020, is also said to be behind several other cyber attacks, including one targeting Boston Children’s Hospital in 2021 and others in Europe and Israel.

“Industrial control devices, such as programmable logic controllers, used in water and other critical infrastructure systems, are sensitive targets,” the Treasury Department noted.

“Although this particular operation did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences.”

The development comes as another pro-Iranian “psychological operation group” known as Homeland Justice said it attacked Albania’s Institute of Statistics (INSTAT) and claimed to have stolen terabytes of data.

Homeland Justice has a track record of targeting Albania since mid-July 2022, with the threat actor most recently observed delivering a wiper malware codenamed No-Justice.

Jan 18, 2024NewsroomCyber Espionage / Threat Intelligence

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.

The threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a “technically and operationally mature subgroup of Mind Sandstorm.”

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

Microsoft said it’s likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets’ environments.

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

“Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft said.

“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.”

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.

Dec 14, 2023NewsroomMalware / Cyber Espionage

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel.

The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k).

“These lightweight downloaders […] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API,” security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News.

By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group’s attack infrastructure.

Some of the targets of the campaign include an organization in the healthcare sector, a manufacturing company, and a local governmental organization, among others. All the victims are said to have been previously targeted by the threat actor.

The exact initial access vector used to compromise the targets is currently unclear and it’s not known if the attackers managed to retain their foothold in the networks so as to deploy these downloaders at various points of time in 2022.

OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that’s known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East.

This year alone, the hacking crew has been observed leveraging novel malware like MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah.

ODAgent, first detected in February 2022, is a C#/.NET downloader that utilizes Microsoft OneDrive API for command-and-control (C2) communications, allowing the threat actor to download and execute payloads, and exfiltrate staged files.

SampleCheck5000, on the other hand, is designed to interact with a shared Microsoft Exchange mail account to download and execute additional OilRig tools using the Office Exchange Web Services (EWS) API.

OilBooster, in the same way as ODAgent, uses Microsoft OneDrive API for C2, whereas OilCheck adopts the same technique as SampleCheck5000 to extract commands embedded in draft messages. But instead of using the EWS API, it leverages Microsoft Graph API for network communications.

OilBooster is also similar to OilCheck in that it employs the Microsoft Graph API to connect to a Microsoft Office 365 account. What’s different this time around is that the API is used to interact with an actor-controlled OneDrive account as opposed to an Outlook account in order to fetch commands and payloads from victim-specific folders.

These tools also share similarities with MrPerfectionManager and PowerExchange backdoors when it comes to using email-based C2 protocols to exfiltrate data, although in the case of the latter, the victimized organization’s Exchange Server is used to send messages to the attacker’s email account.

“In all cases, the downloaders use a shared (email or cloud storage) OilRig-operated account to exchange messages with the OilRig operators; the same account is typically shared by multiple victims,” the researchers explained.

“The downloaders access this account to download commands and additional payloads staged by the operators, and to upload command output and staged files.”

Dec 19, 2023NewsroomCyber Espionage / Cyber Attack

The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania.

The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix.

Active since at least 2017, MuddyWater is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East.

The cyber espionage group’s use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2, itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020.

While the full extent of MuddyC2Go’s capabilities is not yet known, the executable comes fitted with a PowerShell script that automatically connects to Seedworm’s C2 server, thereby giving the attackers remote access to a victim system and obviating the need for manual execution by an operator.

The latest set of intrusions, which took place in November 2023, have also been found to rely on SimpleHelp and Venom Proxy, alongside a custom keylogger and other publicly available tools.

Attack chains mounted by the group have a track record of weaponizing phishing emails and known vulnerabilities in unpatched applications for initial access, followed by conducting reconnaissance, lateral movement, and data collection.

In the attacks documented by Symantec targeting an unnamed telecommunications organization, the MuddyC2Go launcher was executed to establish contact with an actor-controlled server, while also deploying legitimate remote access software like AnyDesk and SimpleHelp.

The entity is said to have been previously compromised by the adversary earlier in 2023 in which SimpleHelp was used to launch PowerShell, deliver proxy software, and also install the JumpCloud remote access tool.

“In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec noted. “A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity.”

By utilizing a combination of bespoke, living-off-the-land, and publicly available tools in its attack chains, the goal is to evade detection for as long as possible to meet its strategic objectives, the company said.

“The group continues to innovate and develop its toolset when required in order to keep its activity under the radar,” Symantec concluded. “The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks.”

The development comes as an Israel-linked group called Gonjeshke Darande (meaning “Predatory Sparrow” in Persian) claimed responsibility for a cyber attack that disrupted a “majority of the gas pumps throughout Iran” in response to the “aggression of the Islamic Republic and its proxies in the region.”

The group, which reemerged in October 2023 after going quiet for nearly a year, is believed to be linked to the Israeli Military Intelligence Directorate, having conducted destructive attacks in Iran, including steel facilities, petrol stations, and rail networks in the country.

The cyber assault also follows an advisory from the Israel National Cyber Directorate (INCD) that accused Iran and the pro-Hamas group Hezbollah of unsuccessfully attempting to disrupt Ziv Hospital, attributing the attack to threat actors named Agrius and Lebanese Cedar.

“The attack was executed by the Iranian Ministry of Intelligence with the involvement of Hezbollah’s ‘Lebanese Cedar’ cyber units under the leadership of Mohammad Ali Merhi,” the INCD said.