An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with “simple” backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021.
Cybersecurity company Mandiant attributed the attack to an uncategorized cluster it’s tracking under the moniker UNC3313, which it assesses with “moderate confidence” as associated with the MuddyWater state-sponsored group.
“UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making,” researchers Ryan Tomcik, Emiel Haeghebaert, and Tufail Ahmed said. “Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus.”
In mid-January 2022, U.S. intelligence agencies characterized MuddyWater (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and techniques in its operations.
The attacks are said to have been orchestrated via spear-phishing messages to gain initial access, followed by taking advantage of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment.
The phishing emails were crafted with a job promotion lure and deceived multiple victims to click a URL to download a RAR archive file hosted on OneHub, which paved the way for the installation of ScreenConnect, a legitimate remote access software, for gaining a foothold.
“UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise,” the researchers noted, adding the security incident was quickly contained and remediated.
Subsequent phases of the attack involved escalating privileges, carrying out internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads on remote systems.
Also observed was a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that executes commands received commands from a hardcoded command-and-control (C2) server via HTTP.
Another implant delivered during the course of the attack is GRAMDOOR, so named owing to its use of the Telegram API for its network communications with the attacker-controlled server in a bid to evade detection, once again highlighting the use of communication tools for facilitating exfiltration of data.
The findings also coincide with a new joint advisory from cybersecurity agencies from the U.K. and the U.S., accusing the MuddyWater group of espionage attacks targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.