Cybereason identifies malware variants used in Iranian cyber attacks

Cybereason identifies malware variants used in Iranian cyber attacks (Credit: Cybereason)

Cybereason identifies malware variants used in Iranian cyber attacks

Technology company Cybereason has identified new malware variants that have previously been used in cyberespionage operations.

The unidentified malware variants were leveraged in two separate Iranian state-sponsored cyberespionage operations targeting a wide range of organisations in multiple global regions.

One of the malicious operations is deploying ransomware against targets following data exfiltration in order to inflict damage to systems as well as to hamper forensic investigations. The other showed a connection to the recently documented Memento ransomware.

The research by Cybereason follows the U.S. Cyber Command’s Cyber National Mission Force (CNMF) regarding multiple open-source tools being abused by Iranian threat actors, with Cybereason researchers having similarly observed open-source tools abused in both of the Iranian attack campaigns investigated.

Cybereason researchers discovered a previously undocumented remote access trojan (RAT) dubbed StrifeWater that the company attributes to Iranian threat actor Moses Staff. This APT has been observed targeting organisations in the US, Israel, India, Germany, Italy, United Arab Emirates, Chile and Turkey in order to further the geopolitical goals of the Iranian regime. After infiltrating an organisation and exfiltrating sensitive data, the attackers deploy destructive ransomware to cause operational disruptions and make the task of forensic investigation more difficult.

Cybereason researchers also discovered a new set of tools developed by the Phosphorus group (AKA Charming Kitten, APT35) that includes a novel PowerShell-based backdoor dubbed PowerLess. Cybereason further observed an IP address used in the attacks that was previously identified as part of the command and control (C2) for the recently documented Memento ransomware. Phosphorus is known for attacking medical and academic research organizations, human rights activists, the media sector, for exploiting known Microsoft Exchange Server vulnerabilities and for attempting to interfere with US elections.

Lior Div, Cybereason co-founder and CEO, said: “These campaigns highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks.

“For defenders in the private sector, there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations. That’s why it is crucial for us as defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats.”