Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/21/2020
12:00 PM
50%
50%

Iranian Cyberattack Group Deploys New PowGoop Downloader Against Mideast Targets

Seedworm Group, aka MuddyWater, is also deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region.

An Iranian cyberattack group known as Seedworm — thought to be linked to Iran's government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on companies and government agencies in the broader Middle East region, according to Broadcom's Symantec division.

Seedworm appears to be deploying several variants of a new downloader, known as PowGoop, to more recent targets, Symantec researchers stated in an analysis published. The software downloads and decrypts obfuscated PowerShell scripts to run on compromised systems, using the common utility as a way to execute code. In addition, the group is deploying ransomware, known as Thanos, which first appeared for sale earlier this year and appears to be used by Seedworm for its destructive capabilities, the researchers said.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The use of the malicious program does not necessarily indicate a shift to ransomware-based cybercrime for the group, but rather an adoption of a broader variety of tactics for countering defensive measures, says Vikram Thakur, Symantec's technical director. 

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," he says. "We ... don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most."

The Symantec analysis is part of the security industry's attempt to attribute specific tactics, techniques, and procedures (TTPs) to particular adversary groups. While the Thanos ransomware is a commodity program offered for sale in underground forums, the PowGoop backdoor program for downloading scripts is custom software made by the group, Symantec stated in its analysis. The company published more than 30 indicators of compromise in the analysis, about half of which related to PowGoop. 

The researchers were only moderately confident, however, in attributing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis. "While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation."

PowGoop appears to be part of the Seedworm group's development of a suite of custom tools for compromising targets and extending their infiltration into networks. The dynamically linked library is installed by a remote execution tool, known as Remadmin, often posing as a Google update archive. The software decodes PowerShell scripts and then executes them, allowing the attackers to move laterally through a network after the initial compromise. 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur says.

PowGoop has also been detected by other companies. Security firm Palo Alto Networks linked PowGoop to two ransomware attacks on companies in the Middle East and North Africa in early September.

In addition, the company confirmed sightings of the Thanos ransomware detected by threat intelligence firm Recorded Future in February. The developers of the ransomware program advertised it for sale on underground forums, likely meaning the ransomware will be used by multiple groups, the companies stated. Palo Alto Networks' analysis concluded, however, that the ransomware is often used for its destructive capabilities. 

"The interesting part of the overwriting of the MBR [master boot record] in this specific sample is that it does not work correctly, which can be blamed on either a programming error or the custom message included by the actor," Palo Alto Networks stated in its analysis. "We confirmed that after changing this single character, the MBR overwriting functionality works, which results in the following being displayed instead of Windows booting correctly."

Changing tools sets and destructive attacks are common tactics to confuse attribution and slow incident response. Such countermeasures have become increasingly common, with 82% of incident response (IR) engagements including counter-IR tactics and 54% utilizing destructive elements to slow response, according to a new report by security firm VMware Carbon Black. In addition, half of all attacks use custom malware — in the same way Seedworm uses PowGoop — the report stated. 

While Seedworm does not appear to be involved in attacks on US elections, that remains a concern among incident responders, with Iran, at 19%, the No. 3 most worrisome aggressor, behind Russia (58%) and North Korea (27%).

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...