Pierluigi Paganini December 15, 2021

Researchers uncovered a new Seedworm campaign targeting telecommunication and IT service providers in the Middle East and Asia.

Iran-linked APT group Seedworm (aka MERCURY, MuddyWater, TEMP.Zagros, or Static Kitten) is behind a new cyberespionage campaign targeting telecommunication and IT service providers in the Middle East and Asia, Symantec warns.

The Seedworm has been active since at least 2017, the recent campaign has been conducted over the past six months and targeted entities in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.

The threat actors don’t use custom malware and instead rely on legitimate tools, publicly available malware, and living-off-the-land tactics.

The attackers focus on Exchange Servers in the attempt to deploy web shells to establish a backdoor within the target network. 

Once breached a targeted network, the threat actors attempt to steal credentials and make lateral movements.

“Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company.” reads the report published by the experts. “In most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.”

In one case analyzed by the researchers, attackers used a ZIP file named “Special discount program.zip,” which contained an installer for a remote desktop software application. The malicious archive was likely spread through spear-phishing messages.

In one of the attacks aimed at a telecommunication firm in the Middle East that began in August 2021, the threat actors created a service to launch an unknown Windows Script File (WSF) used to perform reconnaissance on the network

Then the attackers used PowerShell to download and execute more WSFs, then used Certutil to download tunneling tools and run WMI, which was used to get remote machines to carry out the following tasks:

• Execute Certutil to download an unknown file
• Execute Certutil to download an unknown WSF file and execute Wscript to launch this script
• Execute PowerShell to download and execute content
• Execute PowerShell to download a suspected web shell to an Exchange Server

Attackers mixed the use of scripts to automate the operations with the use of a manual approach as part of some intrusion.

Once established a foothold on the target network, the cyberspies use the eHorus remote access tool to do the following actions:

1. Deliver and run a (suspected) Local Security Authority Subsystem Service (LSASS) dumping tool.
2. Deliver (what are believed to be) Ligolo tunneling tools.
3. Execute Certutil to request a URL from Exchange Web Services (EWS) of (what appears to be) other targeted organizations.

In the recent campaign against telecommunication, the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations. Threat actors used the following commands, likely to check connectivity to these organizations:

certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx
certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews

Symantec reported that the attackers made heavy use of legitimate tools and publicly available hacking tools, including:

• ScreenConnect: Legitimate remote administration tool
• RemoteUtilities: Legitimate remote administration tool
• eHorus: Legitimate remote administration tool
• Ligolo: Reverse tunneling tool
• Hidec: Command line tool for running a hidden window
• Nping: Packet generation tool
• LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
• SharpChisel: Tunneling tool
• Password Dumper
• CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
• ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
• SOCKS5 proxy server: Tunneling tool
• Keylogger: Retrieves browser credentials
• Mimikatz: Publicly available credential dumping tool

“There is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP addresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.” concludes the analysis. “There is also some overlap in tools between this campaign and earlier Seedworm campaigns. ScreenConnect, RemoteUtilities, SharpChisel, Ligolo, ProcDump, and Password Dumper were all referenced by Trend Micro in a March 2021 blog on Seedworm activity. In the case of two tools – SharpChisel and Password Dumper – identical versions were used in this campaign to those that were documented by Trend.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Seedworm)

[adrotate banner=”5″]

[adrotate banner=”13″]