Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/21/2020
12:00 PM
50%
50%

Iranian Cyberattack Group Deploys New PowGoop Downloader Against Mideast Targets

Seedworm Group, aka MuddyWater, is also deploying commodity ransomware as part of espionage attacks on companies and government agencies in the Middle East region.

An Iranian cyberattack group known as Seedworm — thought to be linked to Iran's government — has started using new tools, including a custom download utility and commodity ransomware, as part of their attacks on companies and government agencies in the broader Middle East region, according to Broadcom's Symantec division.

Seedworm appears to be deploying several variants of a new downloader, known as PowGoop, to more recent targets, Symantec researchers stated in an analysis published. The software downloads and decrypts obfuscated PowerShell scripts to run on compromised systems, using the common utility as a way to execute code. In addition, the group is deploying ransomware, known as Thanos, which first appeared for sale earlier this year and appears to be used by Seedworm for its destructive capabilities, the researchers said.

Related Content:

The No Good, Very Bad Week for Iran's Nation-State Hacking Ops

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

The use of the malicious program does not necessarily indicate a shift to ransomware-based cybercrime for the group, but rather an adoption of a broader variety of tactics for countering defensive measures, says Vikram Thakur, Symantec's technical director. 

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," he says. "We ... don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most."

The Symantec analysis is part of the security industry's attempt to attribute specific tactics, techniques, and procedures (TTPs) to particular adversary groups. While the Thanos ransomware is a commodity program offered for sale in underground forums, the PowGoop backdoor program for downloading scripts is custom software made by the group, Symantec stated in its analysis. The company published more than 30 indicators of compromise in the analysis, about half of which related to PowGoop. 

The researchers were only moderately confident, however, in attributing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis. "While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation."

PowGoop appears to be part of the Seedworm group's development of a suite of custom tools for compromising targets and extending their infiltration into networks. The dynamically linked library is installed by a remote execution tool, known as Remadmin, often posing as a Google update archive. The software decodes PowerShell scripts and then executes them, allowing the attackers to move laterally through a network after the initial compromise. 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur says.

PowGoop has also been detected by other companies. Security firm Palo Alto Networks linked PowGoop to two ransomware attacks on companies in the Middle East and North Africa in early September.

In addition, the company confirmed sightings of the Thanos ransomware detected by threat intelligence firm Recorded Future in February. The developers of the ransomware program advertised it for sale on underground forums, likely meaning the ransomware will be used by multiple groups, the companies stated. Palo Alto Networks' analysis concluded, however, that the ransomware is often used for its destructive capabilities. 

"The interesting part of the overwriting of the MBR [master boot record] in this specific sample is that it does not work correctly, which can be blamed on either a programming error or the custom message included by the actor," Palo Alto Networks stated in its analysis. "We confirmed that after changing this single character, the MBR overwriting functionality works, which results in the following being displayed instead of Windows booting correctly."

Changing tools sets and destructive attacks are common tactics to confuse attribution and slow incident response. Such countermeasures have become increasingly common, with 82% of incident response (IR) engagements including counter-IR tactics and 54% utilizing destructive elements to slow response, according to a new report by security firm VMware Carbon Black. In addition, half of all attacks use custom malware — in the same way Seedworm uses PowGoop — the report stated. 

While Seedworm does not appear to be involved in attacks on US elections, that remains a concern among incident responders, with Iran, at 19%, the No. 3 most worrisome aggressor, behind Russia (58%) and North Korea (27%).

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4626
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) could reveal sensitive information about the internal network to an authenticated user using a specially crafted HTTP request. IBM X-Force ID: 185362.
CVE-2020-4627
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.
CVE-2020-4696
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
CVE-2020-4900
PUBLISHED: 2020-11-30
IBM Business Automation Workflow 19.0.0.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 190991.
CVE-2020-4624
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) uses weaker than expected cryptographic algorithms during negotiation could allow an attacker to decrypt sensitive information.