Iranian Hacking Group Suspected of Deploying RansomwareClearSky: 'MuddyWater' APT Linked to Attacks Targeting Israel, Others
A hacking group with links to Iran's government is suspected of using ransomware in attempts to damage the systems of organizations in Israel and other countries, the security firm ClearSky reports.
"MuddyWater," an advanced persistent threat group that has been operating since at least 2017, is suspected of using a strain of ransomware called Thanos in several campaigns since September, according to ClearSky, which is based in Israel. The group is also known as EMP.Zagros, Static Kitten, Mercury and Seedworm.
"We assess that the group is attempting to employ destructive attacks," according to the ClearSky report. "Although we didn’t see the execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor and the realization of this vector in the past, a destructive purpose is more likely than ransomware that is being deployed for financial goals."
ClearSky notes the attacks on Israeli organizations are part of a wider campaign that is active across several nations. All these attacks were stopped before they could cause any damage, the researchers say.
Security experts and government agencies have noted that some Iranian-linked groups are attempting to add ransomware to their toolsets.
In September, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued an alert about another suspected Iranian hacking group that was attempting to exploit vulnerabilities in network products that would lead to other types of attacks. "The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks," according to the alert (see: Iranian Hackers Exploiting Unpatched Vulnerabilities).
The latest MuddyWater campaign appears to be using a malicious loader named PowGoop - a fake Google Update mechanism - to help deliver the ransomware, according to the ClearSky report.
This is done in two ways. One involves sending a phishing email that contains an attached malicious PDF or Excel document. If the attachment is opened, malicious code is deployed that connects to a command-and-control server and attempts to download the PowGoop loader, according to the report.
In the second method, the hacking group attempts to exploit a vulnerability in Microsoft Exchange server known as CVE-2020-0688 to compromise a device and then download the PowGoop loader (see: Thousands of Exchange Servers Still Lack Critical Patch).
The ClearSky report notes that there are code similarities between the PowGoop loader and other malware, such as a MoriAgent, that MuddyWater has deployed. The command-and-control server in the latest attempted attacks also has a similar infrastructure to previous campaigns that MuddyWater has conducted.
The PowGoop loader has previously linked to a ransomware strain called Thanos, which Palo Alto Networks' Unit 42 described in a September report. That analysis notes the ransomware was used against two targets in Africa and the Middle East earlier this year, but it did not attribute these incidents to any particular group.
The Unit 42 report notes that Thanos is designed to be configured to overwrite the master boot record of a device, which can interfere with the loading of the operating system. This makes the ransomware dangerous because it can damage networks by interfering with a device's booting process.
"Overwriting the [master boot record] is a more destructive approach to ransomware than usual. Victims would have to expend more effort to recover their files - even if they paid the ransom," according to the Unit 42 report.
The ClearSky report notes that MuddyWater is primarily known for stealth and espionage campaigns, so the use of ransomware is unusual and could represent an evolution of the group's mission.
"It is possible that due to the advancing confrontation with Israel, and simply developments of attack methods over time, that the group had undergone an organizational/strategic evolution (or simply received new instructions) into destructive attacks," according to the report.
MuddyWater uses spear-phishing techniques to target its victims, which include government agencies, military institutions, telecommunications companies and universities throughout the Middle East, Europe and the U.S., according to a previous analysis by Kaspersky Lab.
Microsoft, which calls the group Mercury, reports that the hackers are attempting to exploit a vulnerability known as "Zerologon" - a critical bug found in some versions of Windows Server (see: Iranian Hackers Exploiting 'Zerologon' Flaw).