Iranian hacking groups pick up the pace with new attacks

Researchers have uncovered a wave of new attacks and malware packages attributed to Iranian hacking operations.

Threat detection vendor Cybereason reported that the nation-state threat group known as Phosphorus (also known as Charming Kitten or APT35) has been aiming to infect research organizations outside of nation’s borders with a particularly nasty backdoor and ransomware payload.

“Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal, including a novel PowerShell backdoor dubbed PowerLess Backdoor,” explained Cybereason researcher Daniel Frank in a blog post Tuesday.

“Our research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.”

Frank explained that by running as a .NET application, the backdoor is able to operate without calling up PowerShell.exe, a behavior that would be detected by many security monitoring tools.

Once the Phosphorus attackers are able to get into the target’s network and access what data they were after, a modified version of the Memento ransomware is deployed to lock up the victim’s systems and announce the presence of the attackers.

Cybereason told SearchSecurity that while the modified Memento ransomware is technically not a “wiper” infection in the mold of WannaCry, in this case it essentially serves the same purpose as the Phosphorus hackers do not include any ransom demand, payment instructions or offer for decryption.

According to Cybereason, the Phosphorus attackers are abusing the notorious ProxyShell vulnerability to gain a foothold on victim networks, so administrators should make sure their systems are up-to date with patches for Microsoft Exchange Server.

Shortly before Cybereason dropped its report on Phosphorus, the team at Cisco Talos posted its own brief on a separate Iranian hacking operation, dubbed MuddyWater, that seems intent on making  Turkish organizations sing the blues.

Cisco Talos researchers Asheer Malhotra and Vitor Ventura said that the attackers have been spreading their malware by masquerading infected PDF files as notices from the Turkish Health and Interior Ministries.

Once the malicious files are launched, they attempt to download other malware payloads, most notably remote shells that allow the attackers to pilfer intellectual property and espionage data from the targets before, again, rendering the target machines inoperable via ransomware.

While the threat from the MuddyWater attacks may only be limited to organizations in Turkey for the time being, Malhotra and Ventura pointed out that the group’s latest campaign could indicate a growing sophistication and a threat to other western countries.

“The fact that the threat actors have changed some of their methods of operation and tools is another sign of their adaptability and unwillingness to refrain themselves from attacking other nations,” they noted.