Iran-linked APT group Seedworm (aka MERCURY, MuddyWater, TEMP.Zagros, or Static Kitten) is behind a new cyberespionage campaign targeting telecommunication and IT service providers in the Middle East and Asia, Symantec warns.
The Seedworm has been active since at least 2017, the recent campaign has been conducted over the past six months and targeted entities in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.
The threat actors don’t use custom malware and instead rely on legitimate tools, publicly available malware, and living-off-the-land tactics.
The attackers focus on Exchange Servers in the attempt to deploy web shells to establish a backdoor within the target network.
Once breached a targeted network, the threat actors attempt to steal credentials and make lateral movements.
“Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company.” reads the report published by the experts. “In most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount program.zip”, suggesting that it arrived in a spear-phishing email.”
In one case analyzed by the researchers, attackers used a ZIP file named “Special discount program.zip,” which contained an installer for a remote desktop software application. The malicious archive was likely spread through spear-phishing messages.
In one of the attacks aimed at a telecommunication firm in the Middle East that began in August 2021, the threat actors created a service to launch an unknown Windows Script File (WSF) used to perform reconnaissance on the network
Then the attackers used PowerShell to download and execute more WSFs, then used Certutil to download tunneling tools and run WMI, which was used to get remote machines to carry out the following tasks:
Attackers mixed the use of scripts to automate the operations with the use of a manual approach as part of some intrusion.
Once established a foothold on the target network, the cyberspies use the eHorus remote access tool to do the following actions:
In the recent campaign against telecommunication, the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations. Threat actors used the following commands, likely to check connectivity to these organizations:
certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews
Symantec reported that the attackers made heavy use of legitimate tools and publicly available hacking tools, including:
“There is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP addresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.” concludes the analysis. “There is also some overlap in tools between this campaign and earlier Seedworm campaigns. ScreenConnect, RemoteUtilities, SharpChisel, Ligolo, ProcDump, and Password Dumper were all referenced by Trend Micro in a March 2021 blog on Seedworm activity. In the case of two tools – SharpChisel and Password Dumper – identical versions were used in this campaign to those that were documented by Trend.”
(SecurityAffairs – hacking, Seedworm)