Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections
- Actor Motivations: Espionage
- Attack Vectors: Backdoor,Downloader,Malware
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The espionage group Seedworm (aka MuddyWater) has been actively targeting government organizations, telecoms, and computer services sectors across the Middle East, including Iraq, Turkey, Kuwait, the United Arab Emirates, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. Seedworm's recent activities, linked to the PowGoop tool, involve PowerShell usage, credential dumping, and DLL side-loading. The group establishes connections to its infrastructure using Secure Sockets Funneling and Chisel while deploying PowGoop through remote execution tools. The connection between PowGoop and Seedworm remains tentative, suggesting potential retooling.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Information Technology | Verified |
| Sector | Real Estate | Verified |
| Sector | Education | Verified |
| Sector | Oil and Gas | Verified |
| Sector | Telecommunication | Verified |
| Region | Afghanistan | Verified |
| Region | Azerbaijan | Verified |
| Region | Cambodia | Verified |
| Region | Georgia | Verified |
| Region | Iraq | Verified |
| Region | Israel | Verified |
| Region | Kuwait | Verified |
| Region | Turkey | Verified |
| Region | United Arab Emirates | Verified |
| Region | Vietnam | Verified |
Extracted IOCs
- 1827f822af72998e2c2e17c1fbc1e97892419ccad0ffe803e38a6f9b3e62ef1a
- 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169
- 200e2448b5ea343f8224f1b3945842bc33cedd9a543930d9b0f038508f00fc82
- 3621bb900674cd249f3c93a442d06af0a390bf773c26fc0506b568fd9e395d9f
- 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
- 4bbcbf1dba0cdd4afa13b62f258aba3aecbcae0f80794b060044a48c499feabc
- 59d50a7b0a49642c8a85601e1c97edeba0a711cd1c802710f5d3fdc08b2673dd
- 5c54bd254b752133577df4d8a901cd37562881cab3bd08aee3475355a9740d89
- 70400207a45e77baf25497219c2b9e725246207f10afe67e15b0c274f8895aa9
- 7200e2d151aa73a89311f5dd1b6f41b0aac653b377ee9106a7883ba9120d6985
- 85859c909b1da57733dbf8be36a0aad73b97113914e34f32c478ce75e5511c8d
- 881226d3186f4904e8a7cecae3b5690696a74828035caa0041ea07b57aaa4557
- 8a53d01ca46ec0fab30eb7deab8b083f91a364fcb7f198625e5db2ae43e4cff7
- 950469b0acef00d8074eb1642d153675f07a13ab8eb4acada30c06df0c3261d2
- 9f2b765ba1361b77307f79d91472e99e142c716e22c410fe528771c233e08822
- 9f4c3cdb011798335258549f5e660dbf65a0f44ed991f12d1fd16c075879c942
- a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
- ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88
- be202975c100caf7d85ad7e98e38279280e7c63482dd421bbce1495755c75622
- c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8
- d3bbb2fee563108345db9d8b6feb72352ea7534798f72757a7e114bf94f2ac78
- dbcaf92cef112cc438014df4d70acc4e05d68fcbd1d3d9a946130babe7fb94fd
- fd0b8a09f02319f6127f5d17e3070174d6aa0714fcdd3794a0a732f380f13747
- 104[.]168.14.116
- 107[.]172.97.172
- 107[.]173.141.103
- 107[.]173.141.114
- 107[.]173.181.139
- 107[.]175.0.140
- 185[.]141.27.156
- 185[.]183.96.11
- 192[.]210.214.83
Tip: 32 related IOCs (9 IP, 0 domain, 0 URL, 0 email, 23 file hash) to this threat have been found.
Overlaps
Source: Microsoft - August 2022
Detection (one case): 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
Source: Picussecurity - March 2022
Detection (one case): 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169
Source: Palo Alto Networks - September 2020
Detection (one case): a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.