• Home
  • Advertising
    • Why Advertise
    • Create Your Campaign
  • About
    • About Security on Screen
    • Privacy Policy
  • Webinars
  • Social Wall
  • Contact Us
Wednesday, August 17, 2022
No Result
View All Result
  • Login
  • Register

No products in the basket.

Submit News
Submit video
  • Create Your Campaign
  • Product Groups
    • Access Control
    • Biometrics
    • Physical Security
    • Smart City
    • Surveillance
    • Systems Integration
  • Cyber-Security
  • Industry sectors
    • Banking
    • Casinos
    • City Surveillance
    • Data Centres
    • Government
    • Healthcare
    • Leisure
    • Manufacturing
    • Retail
    • Schools and Campus Security
    • Transport
    • Utilities
  • Business News
    • New Technology
    • Opinion
    • People
    • Education & Events
  • Create Your Campaign
  • Product Groups
    • Access Control
    • Biometrics
    • Physical Security
    • Smart City
    • Surveillance
    • Systems Integration
  • Cyber-Security
  • Industry sectors
    • Banking
    • Casinos
    • City Surveillance
    • Data Centres
    • Government
    • Healthcare
    • Leisure
    • Manufacturing
    • Retail
    • Schools and Campus Security
    • Transport
    • Utilities
  • Business News
    • New Technology
    • Opinion
    • People
    • Education & Events
No Result
View All Result
No Result
View All Result

Cybereason identifies new malware variants used in global Iranian espionage campaigns

by Zoe Deighton Smythe
01/02/2022
in Cyber Security, PRESS RELEASE
Cybereason identifies new malware variants used in global Iranian espionage campaigns

Cybereason has discovered previously unidentified malware variants being leveraged in two separate Iranian state-sponsored cyberespionage operations targeting a wide range of organisations in multiple global regions. One of the malicious operations is deploying ransomware against targets following data exfiltration in order to inflict damage to systems as well as to hamper forensic investigations, and the other showed a connection to the recently documented Memento ransomware.

This research closely follows an announcement by U.S. Cyber Command’s Cyber National Mission Force (CNMF) regarding multiple open-source tools being abused by Iranian threat actors, with Cybereason researchers having similarly observed open-source tools abused in both of the Iranian attack campaigns investigated.

The StrifeWater RAT Report

Cybereason researchers discovered a previously undocumented remote access trojan (RAT) dubbed StrifeWater that the company attributes to Iranian threat actor Moses Staff. This APT has been observed targeting organisations in the US, Israel, India, Germany, Italy, United Arab Emirates, Chile and Turkey in order to further the geopolitical goals of the Iranian regime. After infiltrating an organisation and exfiltrating sensitive data, the attackers deploy destructive ransomware to cause operational disruptions and make the task of forensic investigation more difficult.

Key Findings

  • Novel Remote Access Trojan (RAT): The previously undocumented StrifeWater RAT is used in the initial phase of infection and is later replaced with other tools, a tactic likely used to allow the malware to remain undiscovered until now.
  • Various Functionality: The StrifeWater RAT capabilities include: listing system files, executing system commands, taking screen captures, creating persistence and downloading updates and auxiliary modules.
  • State-Sponsored Ransomware: Moses Staff employs ransomware post-exfiltration–not for financial gain, but to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran’s geopolitical goals.
  • Full Report: StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations

The PowerLess Backdoor Report

Cybereason researchers discovered a new set of tools developed by the Phosphorus group (AKA Charming Kitten, APT35) that includes a novel PowerShell-based backdoor dubbed PowerLess. Cybereason also observed an IP address used in the attacks that was previously identified as part of the command and control (C2) for the recently documented Memento ransomware. Phosphorus is known for attacking medical and academic research organisations, human rights activists, the media sector, for exploiting known Microsoft Exchange Server vulnerabilities and for attempting to interfere with US elections.

Key Findings

  • Novel PowerShell Backdoor: The previously undocumented backdoor PowerLess includes additional payloads including a keylogger and an info stealer.
  • Evasive PowerShell Execution: The PowerShell code runs in the context of a .NET application so it does not launch “powershell.exe” which enables it to evade security products.
  • Modular Malware: The toolset analysed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.
  • Shared IOCs with Memento Ransomware: One of the IP addresses serves a domain which is being used as command and control (C2) for the recently discovered Memento Ransomware.
  • Use of Publicly Available Exploits: The Phosphorus Group has been observed exploiting vulnerabilities in Microsoft Exchange (ProxyShell) and Log4j (Log4Shell).
  • Full Report: PowerLess Trojan: Iranian APT Phosphorus Adds Novel PowerShell Backdoor for Espionage

“These campaigns highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks,” said Cybereason co-founder and CEO Lior Div. “For Defenders, there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations. That’s why it is crucial for us as Defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats.”

Tags: CybereasonespionageIranMalware
ShareTweetShare

Related Posts

KnowBe4 launches resource kit to help defend against surging “Human Layer” attacks
Cyber Security

KnowBe4 launches resource kit to help defend against surging “Human Layer” attacks

New UK maritime security strategy to target latest physical and cyber threats
Cyber Security

New UK maritime security strategy to target latest physical and cyber threats

barox Ethernet PoE switches approved to power Redvision X4 COMMANDER PTZ camera
New Technology

barox Ethernet PoE switches approved to power Redvision X4 COMMANDER PTZ camera

Nominations open for Security Serious Unsung Heroes Awards 2022
Cyber Security

Nominations open for Security Serious Unsung Heroes Awards 2022

Feedzai and Lloyds Banking Group recognised as a Aite-Novarica Group 2022 Fraud Impact Award Winner 
Banking

Feedzai and Lloyds Banking Group recognised as a Aite-Novarica Group 2022 Fraud Impact Award Winner 

Altronix Trove expansion
Access Control

Altronix expands Trove Access and Power Integration Solutions

Load More

The Tannery, 3a John Street, Tunbridge Wells,
Kent TN4 9RU
All enquiries: +44 (0)1892 525141

  • Home
  • Advertising
  • About
  • Webinars
  • Social Wall
  • Contact Us
No Result
View All Result
  • Login
  • Sign Up
  • Cart
  • Home
  • Why Advertise
  • Create Your Campaign
  • About Security on Screen
    • Privacy Policy
  • Webinars
  • Social Wall
  • Contact Us
  • Business News
    • New Technology
    • Opinion
    • People
    • Education & Events
  • Product Groups
    • Access Control
    • Biometrics
    • Cyber Security
    • Physical Security
    • Smart City
    • Surveillance
    • Systems Integration
  • Industry Sectors
    • Banking
    • Casinos
    • City Surveillance
    • Data Centres
    • Government
    • Healthcare
    • Leisure
    • Manufacturing
    • Retail
    • Schools and Campus Security
    • Transport
    • Utilities

© 2020 SecurityOnScreen.com

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.