Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies
The Iran-linked cyber-espionage group known as Seedworm appears to have added a new downloader to its arsenal and to have started conducting destructive attacks, security researchers report.
Also referred to as MuddyWater, MERCURY, and Static Kitten, the cyber-espionage group was initially analyzed in 2017. Seedworm shows a focus on targeting Middle Eastern organizations, or those in nearby regions.
The threat actor is highly active and is known for the use of a broad and varied toolset. Earlier this month, the group was observed actively targeting the Zerologon vulnerability that Microsoft patched in August.
According to recent reports from ClearSky and Symantec, MuddyWater recently added to its arsenal a downloader called PowGoop, which earlier this year was used in attacks employing the Thanos ransomware against an organization in the Middle East.
PowGoop contains a DLL loader and a PowerShell-based downloader, with the latter designed to decrypt and run the former. The downloader is a fake Google Update mechanism similar to the MoriAgent / PudPoul DLL loader, which was previously attributed to MuddyWater.
“While we cannot confirm the connection, we believe the actors deploying the Thanos ransomware at the Middle Eastern state-run organization also used a downloader that we call PowGoop. The actors would use the PowGoop downloader to reach out to a remote server to download and execute additional PowerShell scripts,” Palo Alto Networks noted in a September 4 report.
The attacks, which were observed on July 6 and July 9, 2020, feature a ransomware variant that was capable of better evading analysis tools, could monitor for newly attached storage devices, and was also able to overwrite the MBR, functionality that would make Thanos rather destructive in nature.
Last week, in a report linking PowGoop to MuddyWater, ClearSky noted that the hacking group appears to have started employing wipers in assaults hidden behind apparent ransomware operations. Other Iranian hackers too have employed wipers, Shamoon being the most infamous of them.
“Although we didn’t see execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor, and the realization of this vector in the past, a destructive purpose is more likely than a ransomware that is being deployed for financial goals,” ClearSky noted.
Now, Symantec too says it was able to draw a connection between MuddyWater and PowGoop, after discovering the downloader on systems where one of the group’s backdoors was installed. Furthermore, MuddyWater’s Powerstats (Powermud) backdoor was apparently superseded by DLL side-loading of PowGoop.
“On the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also deployed against several of the organizations attacked by Seedworm in recent months,” Symantec says.
PowGoop appears to have been used in attacks targeting governments, education, oil and gas, real estate, technology, and telecoms organizations in Afghanistan, Azerbaijan, Cambodia, Iraq, Israel, Georgia, Turkey, and Vietnam.
Symantec’s analysis revealed the use of the Remadmin remote code execution tool to deploy PowGoop, and also led to the identification of artefacts suggesting that PowGoop was masquerading as a Google tool and noticed the use of SSF and Chisel.
Analysis of PowGoop activity would suggest that the downloader might be “an evolution of Powerstats rather than a completely new tool,” Symantec notes, adding that there isn’t enough evidence to confirm the hypothesis. Furthermore, the security firm is unsure of the destructive purpose of the attacks.
“Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop. This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos,” Symantec says.