The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.
According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.
The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation.
“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”
“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.
The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.
Most of the targets were in the telecommunications and IT services sectors.
Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques
Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar.
In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.
“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.
“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”
Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.
Attackers are very agile, they also used publicly available tools to quickly update operations.
Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance.
According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.
Further details, including IoCs are reported in the report published by Symantec.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.