Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept

Pierluigi Paganini December 11, 2018

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.


Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment