Espionage Hacking Campaign Is Targeting Telecom Operators
Middle Eastern and Asian Telecommunications and IT Service Companies Are Being Targeted.
A fresh espionage hacking effort targeting Middle Eastern and Asian telecommunications and IT service companies was recently discovered.
The operation has been running for six months, and it may have connections to the Iranian-backed actor MERCURY (aka MuddyWater, SeedWorm, or TEMP.Zagros).
Symantec’s Threat Hunter Team compiled the report after collecting evidence and toolkit samples from recent assaults in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos.
Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the attackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka MuddyWater) group. The targeting and tactics are consistent with Iranian-sponsored actors.
Ads thoroughly reported by BleepingComputer, the attackers appear to be interested in vulnerable Exchange Servers, which they employ to deploy web shells.
They grab account credentials and migrate laterally in the business network after the first intrusion. In certain situations, they use their footing to pivot to other groups with whom they are affiliated.
Despite the fact that the infection vector is unclear, Symantec discovered a case of a ZIP file entitled “Special discount program.zip” that included an installation for a remote desktop software application.
As a result, the threat actors might be sending spear-phishing emails to specified targets.
The first indicator of a threat actor’s intrusion is the creation of a Windows service to start a Windows Script File (WSF) that does network reconnaissance, and after PowerShell is used to download more WSFs, and Certutil is used to download tunneling tools and run WMI queries.
Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools. However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.
The attackers then used a remote access tool, believed to be eHorus, to perform the following tasks:
- Deliver and run a suspected Local Security Authority Subsystem Service (LSASS) dumping tool
- Deliver what are believed to be Ligolo tunneling tools
- Execute Certutil to request a URL from Exchange Web Services (EWS) of what appears to be other targeted organizations
One feature of this attack against a telecoms organization is that the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations, another telecoms operator, and an electronic equipment company in the same region.
The researchers at Symantec noticed two IP addresses overlapping with the infrastructure used in older MuddyWater attacks.