Hacking

Iran-linked group TEMP.Zagros now targets Asia and Middle East regions

Experts at FireEye uncovered a new massive phishing campaign conducted by TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Iranian hackers are one of the most active in this period, researchers at FireEye uncovered a new massive phishing campaign targeting Asia and Middle East regions from January 2018 to March 2018.

The group behind the campaign is known as TEMP.Zagros, aka MuddyWater, and according to the experts it is now adopting new tactics, techniques, and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017.” reads the analysis published by the experts at FireEye.

“This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.” 

The TEMP.Zagros was first spotted by researchers at PaloAlto Networks in 2017, the hackers targeted various industries in several countries with spear-phishing messages.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

Last week expert at Trend Micro also attributed the new wave of attacks to the MuddyWater threat actor.

“We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia.” states the analysis published by Trend Micro.

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.

Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the command and control (C2) server.

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

“In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets.” continues FireEye.

 

The campaign started on Jan. 23 involved a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command.

The Base64 encoded PowerShell command will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe.

Attackers used a differed VBS script for each sample, employing different levels of obfuscation and different ways of invoking the next stage of the process tree.

Starting from Feb. 27, 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files.

Researchers at FireEye also found Chinese strings in the malicious code used by TEMP.Zagros that were left as false flags to make hard the attribution.

“During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:” states FireEye.

Indicators of compromise (IoCs) and other info are included in the report published by FireEye.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – MuddyWater, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

6 hours ago

U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output…

10 hours ago

A critical flaw in OpenPGP.js lets attackers spoof message signatures

A critical flaw in OpenPGP.js, tracked as CVE-2025-47934, lets attackers spoof message signatures; updates have…

11 hours ago

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

15 hours ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

1 day ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

1 day ago