In November 2021, an Iranian geopolitical nexus threat actor was caught installing two new targeted malware with “basic” backdoor functions as part of an incursion against an unidentified Middle Eastern government agency. Mandiant, a cybersecurity firm, ascribed the attack to an unnamed cluster it’s investigating under the codename UNC3313, which it believes is linked to the MuddyWater state-sponsored organization with “moderate confidence.”
“UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making,” as said by researchers Ryan Tomcik, Emiel Haeghebaert, and Tufail Ahmed. “Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus.”
According to US intelligence agencies, MuddyWater (also known as Static Kitten, Seedworm, TEMP.Zagros, or Mercury) is a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS). It has been active since at least 2018 and uses various tools and techniques in its operations. The cyberattacks started with spear-phishing email to acquire initial access, then used publicly accessible offensive security tools and remote access software to move about and keep access to the environment.
Multiple victims were duped into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for obtaining a footing. The researchers stated that UNC3313 worked fast to get remote access by infiltrating computers via ScreenConnect within an hour of the first penetration. The security problem was immediately controlled and remediated.
Escalating privileges, doing internal surveillance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads on distant computers were all part of the attack’s later phases. A previously unknown backdoor known as STARWHALE, a Windows Script File (.WSF) that executes orders received over HTTP from a hardcoded command-and-control (C2) server, was also discovered.
GRAMDOOR, another implant used in the attack, is called for its usage of the Telegram API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. The results correlate with recent joint advice from the UK and US cybersecurity authorities accusing the MuddyWater organization of espionage strikes aimed at the defense, local government, oil and gas, and telecommunications industries worldwide.