Symantec Corp. has recently announced it has uncovered extensive insights into a cyber espionage group responsible for a recent series of cyber-attacks. Dozens of firms were hacked including well-known multinational organizations, government agencies, telecommunications, and oil and gas firms – since late September 2018. A new type of trojan malware Seedworm (also known as MuddyWater or Zagos), gathers intelligence on targets spread primarily across the Middle East as well as in Europe and North America.
Seedworm’s motivations are much like many cyber espionage groups, seeking actionable information about their targeted organizations and individuals. The cyber espionage group accomplished this with a preference for speed and agility over operational security, which ultimately led to Symantec’s identification of their key operational infrastructure.
Symantec was able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry. Symantec has access to via its Global Intelligence Network and because of this unique visibility, analysts were able to trace what actions Seedworm took after they got into a network. They found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.
Since as early as 2017, the group appears to have repeatedly updated their backdoor to evade detection and to thwart security researchers. Symantec’s research further reveals that Seedworm/MuddyWater uses GitHub and a handful of publicly available tools, which they then customize to carry out their work.
Symantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools and techniques.
Symantec has the following protections in place to help prevent attacks from Seedworm/ MuddyWater:
File-based protection
- Powemuddy
Network-based protection
- System Infected: W97M.Downloader Activity 44
- Web Attack: Malicious Shell Script Download 4
- System Infected: Trojan.Backdoor Activity 243
By sharing threat intelligence, Cyber Threat Alliance (CTA) members are able to swiftly protect their customers against global threats.
(Image Courtesy: www.foreignpolicy.com)