Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/21/2020
12:00 PM
50%
50%

Iranian Cyberattack Group Deploys New PowGoop Downloader Against Mideast Targets

Seedworm Group, aka MuddyWater, is also deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region.

An Iranian cyberattack group known as Seedworm — thought to be linked to Iran's government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on companies and government agencies in the broader Middle East region, according to Broadcom's Symantec division.

Seedworm appears to be deploying several variants of a new downloader, known as PowGoop, to more recent targets, Symantec researchers stated in an analysis published. The software downloads and decrypts obfuscated PowerShell scripts to run on compromised systems, using the common utility as a way to execute code. In addition, the group is deploying ransomware, known as Thanos, which first appeared for sale earlier this year and appears to be used by Seedworm for its destructive capabilities, the researchers said.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The use of the malicious program does not necessarily indicate a shift to ransomware-based cybercrime for the group, but rather an adoption of a broader variety of tactics for countering defensive measures, says Vikram Thakur, Symantec's technical director. 

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," he says. "We ... don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most."

The Symantec analysis is part of the security industry's attempt to attribute specific tactics, techniques, and procedures (TTPs) to particular adversary groups. While the Thanos ransomware is a commodity program offered for sale in underground forums, the PowGoop backdoor program for downloading scripts is custom software made by the group, Symantec stated in its analysis. The company published more than 30 indicators of compromise in the analysis, about half of which related to PowGoop. 

The researchers were only moderately confident, however, in attributing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis. "While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation."

PowGoop appears to be part of the Seedworm group's development of a suite of custom tools for compromising targets and extending their infiltration into networks. The dynamically linked library is installed by a remote execution tool, known as Remadmin, often posing as a Google update archive. The software decodes PowerShell scripts and then executes them, allowing the attackers to move laterally through a network after the initial compromise. 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur says.

PowGoop has also been detected by other companies. Security firm Palo Alto Networks linked PowGoop to two ransomware attacks on companies in the Middle East and North Africa in early September.

In addition, the company confirmed sightings of the Thanos ransomware detected by threat intelligence firm Recorded Future in February. The developers of the ransomware program advertised it for sale on underground forums, likely meaning the ransomware will be used by multiple groups, the companies stated. Palo Alto Networks' analysis concluded, however, that the ransomware is often used for its destructive capabilities. 

"The interesting part of the overwriting of the MBR [master boot record] in this specific sample is that it does not work correctly, which can be blamed on either a programming error or the custom message included by the actor," Palo Alto Networks stated in its analysis. "We confirmed that after changing this single character, the MBR overwriting functionality works, which results in the following being displayed instead of Windows booting correctly."

Changing tools sets and destructive attacks are common tactics to confuse attribution and slow incident response. Such countermeasures have become increasingly common, with 82% of incident response (IR) engagements including counter-IR tactics and 54% utilizing destructive elements to slow response, according to a new report by security firm VMware Carbon Black. In addition, half of all attacks use custom malware — in the same way Seedworm uses PowGoop — the report stated. 

While Seedworm does not appear to be involved in attacks on US elections, that remains a concern among incident responders, with Iran, at 19%, the No. 3 most worrisome aggressor, behind Russia (58%) and North Korea (27%).

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23727
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).
CVE-2020-28175
PUBLISHED: 2020-12-03
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges
CVE-2020-13524
PUBLISHED: 2020-12-03
An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim n...
CVE-2020-13525
PUBLISHED: 2020-12-03
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-23726
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).