An Iranian geopolitical nexus threat actor was discovered deploying two new targeted malware with “simple” backdoor functionality as part of an intrusion against an unnamed government entity in the Middle East in November 2021.
Cybersecurity firm Mandiant attributed the attack to an uncategorized cluster it tracks under the moniker UNC3313which he rates with “moderate confidence” as an associate of the state-sponsored group MuddyWater.
“UNC3313 performs surveillance and collects strategic information to support Iranian interests and decision-making,” said researchers Ryan Tomcik, Emiel Haeghebaert and Tufail Ahmed. “Targeting patterns and associated decoys demonstrate a strong focus on targets with a geopolitical connection.”
In mid-January 2022, US intelligence agencies characterized MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS) that has been active for at least 2018 and is known to use a wide range of tools and techniques in its operations.
The attacks were allegedly orchestrated via spear-phishing messages to gain initial access, followed by the use of offensive security tools and publicly available remote access software for lateral movement and maintaining security. access to the environment.
The phishing emails were crafted with a job promotion lure and tricked several victims into clicking a URL to download a RAR archive file hosted on OneHub, which paved the way for the installation of ScreenConnect, a legitimate remote access software, to gain a foothold.
“UNC3313 quickly established remote access using ScreenConnect to infiltrate systems within an hour of the initial compromise,” the researchers noted, adding that the security incident was quickly contained and corrected.
Subsequent phases of the attack involved escalating privileges, performing an internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads to remote systems.
A previously undocumented backdoor called STARWHALE has also been observed, a Windows script file (.WSF) that executes commands received from a hard-coded command and control (C2) server via HTTP.
Another implant delivered during the attack is GRAMDOOR, so named because of its use of the Telegram API for its network communications with the server controlled by the attacker in an attempt to evade detection, once pointing out moreover the use of communication tools to facilitate exfiltration. of data.
The findings also coincide with a new joint advisory from UK and US cybersecurity agencies, accusing the MuddyWater group of spying attacks targeting the defence, local government, oil and natural gas sectors. and telecommunications around the world.