Cyber: Iran-linked Muddywater Hackers Target U.s. Networks With New...
New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in several U.S. companies' networks, including banks, airports, non-profit, and the Israeli arm of a software company.
The activity has been attributed to a state-sponsored hacking group called MuddyWater (aka Seedworm). It's affiliated with the Iranian Ministry of Intelligence and Security (MOIS). The campaign is assessed to have begun in early February, with recent activity detected following U.S. and Israeli military strikes on Iran.
"The software company is a supplier to the defense and aerospace industries, among others, and has a presence in Israel, with the company's Israel operation seeming to be the target in this activity," the security vendor said in a report shared with The Hacker News.
The attacks targeting the software company, as well as a U.S. bank and a Canadian non-profit, have been found to pave the way for a previously unknown backdoor dubbed Dindoor, which leverages the Deno JavaScript runtime for execution. Broadcom said it also identified an attempt to exfiltrate data from the software company using the Rclone utility to a Wasabi cloud storage bucket. However, it's currently not known if the effort paid off.
Also found in the networks of a U.S. airport and a non-profit was a separate Python backdoor called Fakeset, which was downloaded from servers belonging to Backblaze, an American cloud storage and data backup company. The digital certificate used to sign Fakeset has also been used to sign Stagecomp and Darkcomp malware, both previously linked to MuddyWater.
"While this malware wasn't seen on the targeted networks, the use of the same certificates suggests the same actor -- namely Seedworm -- was behind the activity on the networks of the U.S. companies," Symantec and Carbon Black said.
"Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they've also demonstrated strong social engineering capabilities, including spear-phishing campaigns and 'honeytrap' operations used to build relationships with targets of interest to gain access to accounts or sensitive information."
The findings come against the backdrop of an escalating military conflict in Iran, triggering a barrage of cyber attacks in the digital sphere. Recent research from Check Point has uncovered the pro-Palestinian hacktivist group known as Handala
