Threat Hunter TeamSymantec
The Iran-linked espionage group Seedworm (aka MuddyWater) has been highly active in recent months, attacking a wide range of targets, including a large number of government organizations in the Middle East.
Many of the organizations attacked by Seedworm in recent months have also been targeted by a recently discovered tool called PowGoop (Downloader.Covic), suggesting that it is a tool that Seedworm has incorporated into its arsenal. However, at present Symantec, a division of Broadcom (NASDAQ: AVGO), can only make a medium-confidence link between Seedworm and PowGoop.
The recent wave of Seedworm attacks were uncovered by Symantec’s Targeted Attack Cloud Analytics, which leverages advanced machine learning to spot patterns of activity associated with targeted attacks. The activity was reviewed by Symantec’s Threat Hunter team (part of Symantec’s Endpoint Security Complete offering) which linked it to previous Seedworm activity.
Among the things flagged by Cloud Analytics was a registry key called “SecurityHealthCore". The code residing in this registry key is executed by PowerShell from a scheduled task. In all of the organizations where this registry key was found, a known Seedworm backdoor (Backdoor.Mori) was subsequently detected.
Attacks were uncovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia. In addition to some government entities, organizations in the telecoms and computer services sector were also targeted.
In one such victim, a sample of Backdoor.Mori was dropped and installed as early as December 2019 on a SQL server. Seedworm activity continued until at least July 2020, with the installation of additional hacking tools by the attackers.
Table 1. Backdoor.Mori samples used by Seedworm in one organization
File SHA2
File path
Filename
Parent file SHA2
Description
fd0b8a09f02319f6127f5d17e3070 ..
Support the originator by clicking the read the rest link below.
