Iran-linked MERCURY APT behind destructive attacks on hybrid environments

Iran-linked APT group MERCURY is behind destructive attacks on hybrid environments masquerading as a ransomware operation.

The Microsoft Threat Intelligence team observed a series of destructive attacks on hybrid environments that were carried out by MuddyWater APT group (aka MERCURY). Threat actors masqueraded the attacks as a standard ransomware operation.

MERCURY (aka MuddyWater, SeedWorm and TEMP.Zagros) has been active since at least 2017, in January 2022 the USCYBERCOM has officially linked the Iran-linked APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The group was observed targeting both on-premises and cloud environments. According to Microsoft, MERCURY likely conducted the attacks in partnership with another actor tracked as DEV-1084, who carried out the destructive actions after MERCURY gained access to the target environment.

“MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage.” reads the report published by Microsoft. “DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.”

DEV-1084 presented itself as cybercrime group likely as an attempt to hide its real motivation of a nation-state actor.

The link between the DEV-1084 cluster and MERCURY was established based on the following evidence:

• Both DEV-1084 and MERCURY were observed sending emails from the IP address 146.70.106[.]89.
• Both groups used MULLVAD VPN.
• DEV-1084 used Rport and a customized version of Ligolo. MERCURY has also been observed using Rport and a similar version of Ligolo in previous attacks.
• DEV-1084 used the vatacloud[.]com domain for C2, which is believed to be under the control of the MERCURY APT group.

In the attacks observed by Microsoft, the state-sponsored hackers used highly privileged credentials and access to domain controllers. The attackers were able to interfere with security tools using Group Policy Objects (GPO). Once bypassed the security defenses, the attackers deployed the ransomware payload in the NETLOGON shares on several domain controllers.

Then the attackers maintain persistence by registering a scheduled task using GPO. The ransomware employed in the attacks changes the file name extension to DARKBIT and drop ransom notes.

The hackers abused Exchange Web Services to gain full access to email inboxes, then they were able to perform “thousands of search activities” and impersonate a high-ranking employee to send emails both internally and externally.

Microsoft provides mitigations for destructive attacks to secure on-prem environment and Azure AD environment.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MERCURY)