Latest Update24/05/2024

Threats Feed

  1. Public

    Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

    Deep Instinct researchers detected suspicious activity in a Southern U.S. infrastructure and construction company, revealing an attempted compromise of an Exchange server by an Iranian APT, PHOSPHORUS. Seven exploitation attempts were made, including installation of a root certificate and blending malicious traffic with legitimate. The attacker used malware to create a new user account, setup RDP access, and establish a reverse proxy to connect to the compromised system. A new evasion technique, involving masking malicious domains within legitimate ones, was also detected. PHOSPHORUS activities can be traced back to June 2020.

    read more about Stealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack
  2. Public

    ENT-11: Iranian APT Group's PowGoop Attacks Uncovered

    The Iranian APT group ENT-11, also known as MuddyWater, has been using a variant of the PowGoop malware, dubbed "E400", targeting foreign governments, telecommunications, energy sectors, intergovernmental economic cooperation organizations, and the banking sector, primarily in the Middle East. Insights from NTT Security revealed dozens of PowGoop command and control servers dating back to October 2020. The group appears to be winding down operations with the E400-PowGoop variant, but it is expected to continue modifying its tools and creating new variants.

    read more about ENT-11: Iranian APT Group's PowGoop Attacks Uncovered
  3. Public

    The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

    The Iranian cyber espionage group UNC3313, also known as TEMP.Zagros and MuddyWater, has been identified as the perpetrator of a series of cyber attacks on Middle Eastern government and technology entities. The group used new targeted malware, GRAMDOOR and STARWHALE, to exploit vulnerabilities and gain unauthorized access. UNC3313 also utilized publicly available remote access software and modified open-source offensive security tools for lateral movement within the targeted systems. The group's activities suggest a strong focus on geopolitical targets and the telecommunications sector in the Middle East. The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior, indicating the group's efforts to evade detection.

    read more about The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected
  4. Public

    MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

    The Iranian government-sponsored APT group, MuddyWater, has been conducting cyber operations against government and private sector organizations across Asia, Africa, Europe, and North America. The targeted sectors include telecommunications, defense, local government, oil and natural gas. MuddyWater's campaigns involve the exploitation of public vulnerabilities, usage of open-source tools, spear-phishing, and the deployment of multiple types of malware such as PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS. The group has been active since 2018 and is known for maintaining persistence on victim networks and obfuscating PowerShell scripts to hide C2 functions.

    read more about MuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors
  5. Public

    PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

    Iranian APT group Phosphorus has developed a new PowerShell backdoor, dubbed PowerLess Backdoor, for espionage purposes. Cybereason researchers discovered the backdoor while investigating the group's exploitation of the ProxyShell vulnerability. The backdoor allows for downloading additional payloads, evasive PowerShell execution, and encrypted communication with the command and control server. Connections were also found between the Phosphorus group and the Memento Ransomware.

    read more about PowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool
  6. Public

    Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East

    The MuddyWater threat group continues to evolve its tactics and techniques. The group exploits publicly available offensive security tools and has been refining its custom toolset to avoid detection. It utilizes the PowGoop malware family, tunneling tools, and targets Exchange servers in high-profile organizations, particularly governmental entities and telecommunication companies in the Middle East. The group has also been observed exploiting CVE-2020-0688 and using Ruler for its malicious activities.

    read more about Evolution of MuddyWater: Targeting Governmental and Telecom Sectors in the Middle East
  7. Public

    CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability

    APT35 has started widespread scanning and attempts to leverage the Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed. The group used a modular PowerShell-based framework dubbed CharmPower for persistence, information gathering, and command execution.

    read more about CharmPower: APT35's Modular Toolset Exploits Log4j Vulnerability
  8. Public

    Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services

    An espionage campaign tentatively linked to the Iranian-backed Seedworm group has been using compromised organizations as stepping stones to additional victims or targets that may have been compromised solely to perform supply-chain-type attacks on other organizations. The attackers primarily used legitimate tools, publicly available malware, and living-off-the-land tactics, with a significant interest in Exchange Servers. While the ultimate end goal remains unknown, the focus on telecom operators suggests the attackers are gathering intelligence on the sector, potentially pivoting into communications surveillance.

    read more about Seedworm Group Suspected in Sweeping Espionage Campaign Across Telecom and IT Services
  9. Public

    Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

    Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

    read more about Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault
  10. Public

    APT35 Cyber Espionage: From Phishing to Spyware and Beyond

    APT35 has used multiple tactics to compromise high-value targets. The group has used hijacked websites, such as one affiliated with a UK university, for credential phishing attacks. They have also uploaded spyware disguised as VPN software to app stores and impersonated conference officials to conduct phishing campaigns. Additionally, APT35 has utilized link shorteners and click trackers embedded within PDF files and abused services like Google Drive, App Scripts, and Sites pages. The group has adopted a novel approach by leveraging Telegram for real-time operator notifications, enabling them to monitor visitor information to their phishing sites.

    read more about APT35 Cyber Espionage: From Phishing to Spyware and Beyond
  11. Public

    SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars

    Iranian-state aligned actor TA453 has been covertly targeting individuals of intelligence interest to the Iranian government by masquerading as British scholars from the University of London's School of Oriental and African Studies (SOAS). The threat actor, targeted Middle Eastern experts, senior professors, and journalists. TA453 compromised a legitimate academic website to deliver personalized credential harvesting pages.

    read more about SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars
  12. Public

    Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign

    The article from Check Point Research focuses on the resurgence of Iran's APT34 cyber espionage group, which has updated its tactics and tools. This group, also known as OilRig, has targeted a Lebanese entity using a new backdoor variant named "SideTwist". They have refined their strategies to evade detection, continuing their pattern of using job opportunity documents to deliver malware through LinkedIn. The article provides an in-depth analysis of the infection chain, the malware's capabilities, and its persistence techniques. It aligns with APT34's history of targeting Middle Eastern entities, underscoring the ongoing cyber threats in the region.

    read more about Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign
  13. Public

    BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals

    In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.

    read more about BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals
  14. Public

    Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

    In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

    read more about Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS
  15. Public

    MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion

    The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

    read more about MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion
  16. Public

    Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors

    The cyberespionage group, Static Kitten, launched a cyber attack primarily targeting the government sectors of the United Arab Emirates (UAE) and Kuwait. Using geopolitical lures and masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait, the attackers aimed to install a remote management tool called ScreenConnect on victims' devices. The campaign involved phishing emails, URL masquerading, and delivering ZIP files that purport to contain relevant documents but instead initiate the ScreenConnect installation process.

    read more about Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors
  17. Public

    Unwrapping Charming Kitten's Holiday Phishing Campaign

    During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

    read more about Unwrapping Charming Kitten's Holiday Phishing Campaign
  18. Public

    Phosphorus Targets Munich Security Conference and T20 Summit Attendees

    The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.

    read more about Phosphorus Targets Munich Security Conference and T20 Summit Attendees
  19. Public

    Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections

    The espionage group Seedworm (aka MuddyWater) has been actively targeting government organizations, telecoms, and computer services sectors across the Middle East, including Iraq, Turkey, Kuwait, the United Arab Emirates, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. Seedworm's recent activities, linked to the PowGoop tool, involve PowerShell usage, credential dumping, and DLL side-loading. The group establishes connections to its infrastructure using Secure Sockets Funneling and Chisel while deploying PowGoop through remote execution tools. The connection between PowGoop and Seedworm remains tentative, suggesting potential retooling.

    read more about Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections
  20. Public

    Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics

    In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

    read more about Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics
  21. Public

    Credential and Information Theft: APT33's Job Scam Campaign

    Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

    read more about Credential and Information Theft: APT33's Job Scam Campaign
  22. Public

    APT33 Elevates C2 Capabilities with New PowerShell Malware

    The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

    read more about APT33 Elevates C2 Capabilities with New PowerShell Malware
  23. Public

    MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector

    The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

    read more about MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector
  24. Public

    Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors

    Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

    read more about Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors