Threats Feed

This NSFOCUS report details an analysis of a leaked toolkit belonging to the APT34 hacking group, also known for its similarities to OilRig. The report focuses on the toolkit's components, including Trojans such as Glimpse and PoisonFrog, and Webshells used for privilege escalation and data exfiltration, primarily targeting the energy and financial sectors, particularly in China and the Middle East. The analysis details the functionality and communication methods of the tools, which use DNS tunneling for command and control.

TA407 (Silent Librarian) has consistently targeted universities, particularly in the US, Europe, and North America, in credential phishing campaigns. Using tailored phishing pages mimicking university login portals, the group compromises accounts to steal academic data, intellectual property, and user credentials. Between 2013 and 2017, TA407 caused over $3.4 billion in intellectual property losses, affecting thousands of university accounts worldwide. The group exploits Freenom domains and various URL shorteners, including university-based services, to distribute phishing links and expand their reach within academia.

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

COBALT DICKENS, linked to Iran's Mabna Institute, continues to launch large-scale phishing campaigns targeting universities around the world. In July and August 2019, the group launched a global operation that compromised more than 60 universities in the US, UK, Australia, Canada, Hong Kong and Switzerland. Using spoofed login pages for library resources, they stole login credentials through phishing emails. The attackers registered domains using free TLDs and used legitimate SSL certificates to make their phishing infrastructure more convincing. Despite multiple takedowns and indictments, COBALT DICKENS remains active, targeting over 380 universities in more than 30 countries and using free tools and public services to maintain its operations.

Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

The Iranian APT group MuddyWater has expanded its tactics, targeting government, telecommunications and military sectors in countries such as Tajikistan, Pakistan and Iraq. New campaigns include decoy documents exploiting CVE-2017-0199 and malicious VBA macros, with second-stage payloads downloaded from compromised servers. Primary targets have impersonated entities in the region surrounding Iran, including Iraqi and Pakistani organisations. The group also uses RATs for process detection, using obfuscation techniques such as Base64 encoding and JavaScript layers. Compromised servers in Pakistan and China facilitated these operations, demonstrating MuddyWater's sophisticated arsenal and focus on espionage.

The APT34/OILRIG group, linked to Iranian intelligence, had its operational details leaked by the "Lab Dookhtegan" group on Telegram. The leaks revealed a C2 infrastructure, PowerShell-based agents, ASP web shells ("HighShell" and "HyperShell"), and a DNS-based espionage toolset ("dnspionage"). These tools facilitate file transfer, credential theft and covert communication via proxies and DNS manipulation. The attackers also collected sensitive data, including domain admin credentials, indicating a potential target for high-value networks. While specific sectors or countries are not detailed, the tools suggest a focus on espionage and disruption. Other tools, such as 'MinionProject' and 'FoxPanel222', remain under analysis.

The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.

In August 2018, Secureworks researchers uncovered a credential-stealing campaign targeting universities worldwide, likely conducted by the Iranian-linked COBALT DICKENS group. The attackers used spoofed login pages for 76 universities across 14 countries, including the US, UK, Canada, Israel, and Australia. By creating lookalike domains, the group aimed to phish victims and steal credentials, likely to access intellectual property and academic resources. The infrastructure supporting the campaign was actively developed, with many domains registered just before the attacks. The group's tactics mirrored prior operations targeting academic institutions, despite public indictments against members earlier that year.

The Iranian APT group Charming Kitten impersonated Israeli cybersecurity firm ClearSky by creating a phishing website that mimicked the legitimate Clearskysec.com domain. The fake site, hosted on an older compromised server, replicated ClearSky's public web pages and included phishing login options to harvest credentials. ClearSky identified the incomplete site, which was taken down before it could affect any victims. Charming Kitten has previously targeted academic researchers, human rights activists, media outlets and political consultants in Iran, the US, UK and Israel. Known for spear-phishing, impersonating organisations, and deploying malware such as DownPaper, this campaign underscores the ongoing threat to security researchers and geopolitical targets.

A potential MuddyWater campaign has been discovered using a new sample found in May 2018. The campaign involves a malicious Microsoft Word document with an embedded macro capable of executing PowerShell scripts, leading to a PRB-Backdoor payload. Notably, the lure document's subject matter has changed from government or telecommunications-related documents to rewards or promotions, suggesting that targets may no longer be limited to specific industries or organizations. The backdoor communicates with a C&C server to perform various functions, such as gathering system information, keylogging, and capturing screenshots.

This report investigates the PRB-Backdoor, a powerful and multifunctional piece of malware suspected to be associated with the MuddyWater group. The malware is deployed via a macro-enabled Word document, utilizing PowerShell scripts for execution. It employs obfuscation techniques to conceal its activities and communicates with a command and control server over HTTP. The backdoor has a plethora of functionalities, including keylogging, screen capturing, system information collection, and password theft. The backdoor seems to be new and unique, with no references found in any public source.

The MuddyWater or Temp.Zagros group has resumed its activities after a perceived quiet phase, with recent samples revealing additional obfuscation layers. The group continues to use PowerShell, targeting regions such as Turkey, Iraq, and Pakistan, with a potential focus on governmental sectors. The recent malicious documents include a new variant of the POWERSTATS backdoor, with anti-analysis and debugging features such as BSOD functionality. They have also included checks for security software and process names to impair defensive measures.

Silent Librarian, an Iranian group tied to the Mabna Institute, has been conducting credential-phishing campaigns targeting over 300 universities and institutions worldwide since 2013. These campaigns focus on prominent research, medical, and technical universities, mainly in the US, UK, Canada, and Australia, as well as non-academic institutions like Los Alamos National Laboratory. Using spoofed emails, Freenom domains, and Let's Encrypt SSL certificates, the group collected credentials to access valuable research data. PhishLabs identified over 750 attacks and 127 phishing domains. The attackers leveraged infrastructure such as temporary email accounts and domain registrations to execute their campaigns.

The Iran-affiliated threat actor, TEMP.Zagros, orchestrated a spear-phishing campaign from January to March 2018, primarily targeting individuals across Turkey, Pakistan, Tajikistan, and India. This actor leveraged malicious macro-based documents with geopolitical themes to install the POWERSTATS backdoor on victims' systems. The campaign exhibited evolving tactics over time, employing both VBS files and INF/SCT files to indirectly execute PowerShell commands. The installed malware demonstrated a range of functionalities, from system data extraction and screenshot capture to checks for security tools and remote command execution.

A new cyber-espionage campaign, bearing similarities to the earlier MuddyWater attacks, is targeting government organizations and telecommunication companies in Turkey, Pakistan, and Tajikistan. The campaign uses spear-phishing tactics with malicious documents, leveraging social engineering to trick victims into enabling macros and activating payloads. Visual Basic and PowerShell scripts are used, with obfuscation techniques employed to evade detection. The attackers also use persistence methods and engage in system owner/user discovery, collecting system information and taking screenshots before sending this data to a command-and-control server.

The research team at Palo Alto Networks has discovered a group of targeted cyber-attacks against the Middle East region that occurred between February and October 2017, carried out by "MuddyWater". These attacks are espionage-related. The group used a PowerShell-based first-stage backdoor called "POWERSTATS", which evolved slowly over time, and targeted countries including the USA and India, as well as those within the Middle East like Saudi Arabia, Iraq, Israel, and the United Arab Emirates. The group also used GitHub to host its backdoor.

MuddyWater group continues its cyber-espionage operations, leveraging obfuscated PowerShell scripts within Word documents to infiltrate systems. These documents masquerade as legitimate entities, such as the Federal Investigation Agency of Pakistan. The tactics include sophisticated obfuscation techniques and a careful reconnaissance strategy, primarily focusing on the Middle East and Pakistan. The campaign deploys a variety of tools, including C&C servers and proxies, with a detailed focus on avoiding detection by analysis tools.