Latest Update20/12/2024

Threats Feed

  1. Public

    Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload

    A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.

    read more about Evolving MuddyWater Campaign Uncovered with PRB-Backdoor Payload
  2. Public

    PRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered

    This report investigates the PRB-Backdoor, a powerful and multifunctional piece of malware suspected to be associated with the MuddyWater group. The malware is deployed via a macro-enabled Word document, utilizing PowerShell scripts for execution. It employs obfuscation techniques to conceal its activities and communicates with a command and control server over HTTP. The backdoor has a plethora of functionalities, including keylogging, screen capturing, system information collection, and password theft. The backdoor seems to be new and unique, with no references found in any public source.

    read more about PRB-Backdoor: MuddyWater's Multifaceted Malware Uncovered
  3. Public

    Cyber Espionage Evolution: MuddyWater’s Obfuscation Techniques and Anti-Analysis Measures

    The MuddyWater or Temp.Zagros group has resumed its activities after a perceived quiet phase, with recent samples revealing additional obfuscation layers. The group continues to use PowerShell, targeting regions such as Turkey, Iraq, and Pakistan, with a potential focus on governmental sectors. The recent malicious documents include a new variant of the POWERSTATS backdoor, with anti-analysis and debugging features such as BSOD functionality. They have also included checks for security software and process names to impair defensive measures.

    read more about Cyber Espionage Evolution: MuddyWater’s Obfuscation Techniques and Anti-Analysis Measures
  4. Public

    Multi-Stage Spear Phishing Attack Traced to Iran: TEMP.Zagros in Action

    The Iran-affiliated threat actor, TEMP.Zagros, orchestrated a spear-phishing campaign from January to March 2018, primarily targeting individuals across Turkey, Pakistan, Tajikistan, and India. This actor leveraged malicious macro-based documents with geopolitical themes to install the POWERSTATS backdoor on victims' systems. The campaign exhibited evolving tactics over time, employing both VBS files and INF/SCT files to indirectly execute PowerShell commands. The installed malware demonstrated a range of functionalities, from system data extraction and screenshot capture to checks for security tools and remote command execution.

    read more about Multi-Stage Spear Phishing Attack Traced to Iran: TEMP.Zagros in Action
  5. Public

    MuddyWater Resurfaces: Cyber Attacks Target Turkey, Pakistan, and Tajikistan

    A new cyber-espionage campaign, bearing similarities to the earlier MuddyWater attacks, is targeting government organizations and telecommunication companies in Turkey, Pakistan, and Tajikistan. The campaign uses spear-phishing tactics with malicious documents, leveraging social engineering to trick victims into enabling macros and activating payloads. Visual Basic and PowerShell scripts are used, with obfuscation techniques employed to evade detection. The attackers also use persistence methods and engage in system owner/user discovery, collecting system information and taking screenshots before sending this data to a command-and-control server.

    read more about MuddyWater Resurfaces: Cyber Attacks Target Turkey, Pakistan, and Tajikistan
  6. Public

    MuddyWater Targets Middle East Using POWERSTATS Backdoor

    The research team at Palo Alto Networks has discovered a group of targeted cyber-attacks against the Middle East region that occurred between February and October 2017, carried out by "MuddyWater". These attacks are espionage-related. The group used a PowerShell-based first-stage backdoor called "POWERSTATS", which evolved slowly over time, and targeted countries including the USA and India, as well as those within the Middle East like Saudi Arabia, Iraq, Israel, and the United Arab Emirates. The group also used GitHub to host its backdoor.

    read more about MuddyWater Targets Middle East Using POWERSTATS Backdoor
  7. Public

    Continuing MuddyWater Phishing Campaign Targets Middle East and Pakistan

    MuddyWater group continues its cyber-espionage operations, leveraging obfuscated PowerShell scripts within Word documents to infiltrate systems. These documents masquerade as legitimate entities, such as the Federal Investigation Agency of Pakistan. The tactics include sophisticated obfuscation techniques and a careful reconnaissance strategy, primarily focusing on the Middle East and Pakistan. The campaign deploys a variety of tools, including C&C servers and proxies, with a detailed focus on avoiding detection by analysis tools.

    read more about Continuing MuddyWater Phishing Campaign Targets Middle East and Pakistan
  8. Public

    Unveiling MuddyWater Phishing Campaign: Middle Eastern Governments in the Crosshairs

    Entities in the Middle East, including Saudi Arabia and Iraq, were targeted by an early MuddyWater phishing campaign predominantly aimed at the government sector. Spear-phishing emails carrying malicious attachments were a key tactic, with PowerShell scripts being sourced from Pastebin and Filebin. To avoid detection, the attackers concealed their scripts. Upon examining the macro code and command and control scripts, parallels were found with a campaign previously discussed by Morphisec.

    read more about Unveiling MuddyWater Phishing Campaign: Middle Eastern Governments in the Crosshairs
  9. Public

    Saudi Arabian Government Hit by Stealthy Macro Malware

    A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.

    read more about Saudi Arabian Government Hit by Stealthy Macro Malware
  10. Public

    Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets

    The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.

    read more about Mia Ash: Anatomy of a cyber espionage persona, COBALT GYPSY lures middle eastern targets
  11. Public

    CopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks

    The Iranian threat agent CopyKittens compromised multiple Israeli websites, including the Jerusalem Post, and one Palestinian Authority website between October 2016 and January 2017. The attackers bought access to the server to gain the access, inserting a single line of Javascript into existing libraries. This enabled them to load further malicious Javascript from a domain they controlled, selectively targeting users based on their IP addresses. The malicious payload used was the BeEF Browser Exploitation Framework.

    read more about CopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks
  12. Public

    CopyKitten’s Spearphishing Attack on Israeli Ministry of Communications

    CopyKitten, a known cyber-attack group, has launched a spearphishing campaign targeting the Israeli government’s Ministry of Communications. The investigation commenced with the identification of a suspicious domain that led to multiple related domains. One such domain closely mimicked the Israeli Prime Minister's SSL VPN login page and was used to drop a malicious Word document titled "Annual Survey.docx." This document had an embedded OLE object that communicated with a C2 server, signifying a well-planned attack. The campaign appears to be part of CopyKitten's ongoing activities against Israeli interests.

    read more about CopyKitten’s Spearphishing Attack on Israeli Ministry of Communications
  13. Public

    Disttrack Malware Decimates Saudi Critical Infrastructure

    The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

    read more about Disttrack Malware Decimates Saudi Critical Infrastructure
  14. Public

    Magic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks

    The report details the Magic Hound cyber campaign targeting primarily Saudi Arabia. The campaign leveraged spearphishing emails with malicious attachments and links, PowerShell scripts, Windows Command Shell, and obfuscation techniques like XOR and Base64 encoding. Additionally, the attackers utilized HTTP and HTTPS protocols for command and control communication.

    read more about Magic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks
  15. Public

    COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign

    SecureWorks researchers identified a phishing campaign targeting a Middle Eastern organization in January 2017, linked to COBALT GYPSY (Aka OilRig). The attackers employed spear-phishing emails containing shortened URLs redirecting to spoofed domains. Victims were presented with a malicious Microsoft Office document, which executed PowerShell commands when opened, installing PupyRAT, a multi-platform remote access trojan (RAT).

    read more about COBALT GYPSY's Yet Another PupyRAT-driven Phishing Campaign
  16. Public

    Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics

    In mid-November 2016, Mandiant responded to the Shamoon 2.0 malware attack targeting organizations in the Gulf states, marking the return of the suspected Iranian hacker group "Cutting Sword of Justice." This updated version of the 2012 Shamoon malware features embedded credentials, suggesting previous targeted intrusions for credential harvesting. Shamoon 2.0 performs subnet scanning, uses domain-specific credentials for unauthorized access, modifies system registries, and schedules tasks for execution. Its payload involves overwriting system files and wiping boot records, notably shifting imagery from a burning U.S. flag to a photograph of Alan Kurdi, symbolizing a devastating critique through cyber vandalism.

    read more about Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics