Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/21/2020
12:00 PM
50%
50%

Iranian Cyberattack Group Deploys New PowGoop Downloader Against Mideast Targets

Seedworm Group, aka MuddyWater, is also deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region.

An Iranian cyberattack group known as Seedworm — thought to be linked to Iran's government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on companies and government agencies in the broader Middle East region, according to Broadcom's Symantec division.

Seedworm appears to be deploying several variants of a new downloader, known as PowGoop, to more recent targets, Symantec researchers stated in an analysis published. The software downloads and decrypts obfuscated PowerShell scripts to run on compromised systems, using the common utility as a way to execute code. In addition, the group is deploying ransomware, known as Thanos, which first appeared for sale earlier this year and appears to be used by Seedworm for its destructive capabilities, the researchers said.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The use of the malicious program does not necessarily indicate a shift to ransomware-based cybercrime for the group, but rather an adoption of a broader variety of tactics for countering defensive measures, says Vikram Thakur, Symantec's technical director. 

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," he says. "We ... don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most."

The Symantec analysis is part of the security industry's attempt to attribute specific tactics, techniques, and procedures (TTPs) to particular adversary groups. While the Thanos ransomware is a commodity program offered for sale in underground forums, the PowGoop backdoor program for downloading scripts is custom software made by the group, Symantec stated in its analysis. The company published more than 30 indicators of compromise in the analysis, about half of which related to PowGoop. 

The researchers were only moderately confident, however, in attributing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis. "While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation."

PowGoop appears to be part of the Seedworm group's development of a suite of custom tools for compromising targets and extending their infiltration into networks. The dynamically linked library is installed by a remote execution tool, known as Remadmin, often posing as a Google update archive. The software decodes PowerShell scripts and then executes them, allowing the attackers to move laterally through a network after the initial compromise. 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur says.

PowGoop has also been detected by other companies. Security firm Palo Alto Networks linked PowGoop to two ransomware attacks on companies in the Middle East and North Africa in early September.

In addition, the company confirmed sightings of the Thanos ransomware detected by threat intelligence firm Recorded Future in February. The developers of the ransomware program advertised it for sale on underground forums, likely meaning the ransomware will be used by multiple groups, the companies stated. Palo Alto Networks' analysis concluded, however, that the ransomware is often used for its destructive capabilities. 

"The interesting part of the overwriting of the MBR [master boot record] in this specific sample is that it does not work correctly, which can be blamed on either a programming error or the custom message included by the actor," Palo Alto Networks stated in its analysis. "We confirmed that after changing this single character, the MBR overwriting functionality works, which results in the following being displayed instead of Windows booting correctly."

Changing tools sets and destructive attacks are common tactics to confuse attribution and slow incident response. Such countermeasures have become increasingly common, with 82% of incident response (IR) engagements including counter-IR tactics and 54% utilizing destructive elements to slow response, according to a new report by security firm VMware Carbon Black. In addition, half of all attacks use custom malware — in the same way Seedworm uses PowGoop — the report stated. 

While Seedworm does not appear to be involved in attacks on US elections, that remains a concern among incident responders, with Iran, at 19%, the No. 3 most worrisome aggressor, behind Russia (58%) and North Korea (27%).

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30485
PUBLISHED: 2021-04-11
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running strcmp() on a NULL pointer.
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.