Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Targeted Attack. Show all posts

Iranian Hackers Use New C2 Tool 'DarkBeatC2' in Recent Operation

 

MuddyWater, an Iranian threat actor, has used a novel command-and-control (C2) infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

In a recent technical study, Deep Instinct security researcher Simon Kenin stated that, despite periodic modifications in remote administration tools or changes in C2 frameworks, MuddyWater's strategies consistently follow a pattern.

MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is linked to Iran's Ministry of Intelligence and Security (MOIS) and has been operational since at least 2017. The group orchestrates spear-phishing attacks, which result in the installation authorised Remote Monitoring and Management (RMM) solutions on compromised systems. 

Prior intelligence from Microsoft connects the group to another Iranian threat cluster known as Storm-1084 (also known as DarkBit), which has been involved in devastating wiper assaults against Israeli entities.

The latest attack, which Proofpoint revealed last month, starts off with spear-phishing emails sent from compromised accounts. These emails include links or attachments hosted on services such as Egnyte, which facilitate the distribution of the Atera Agent software.

One of the URLs used is "kinneretacil.egnyte[.]com," with the subdomain "kinneretacil" referring to "kinneret.ac.il," an Israeli educational institution. 

Lord Nemesis (also known as Nemesis Kitten or TunnelVision) targeted a Rashim customer's supply chain. Lord Nemesis, who is accused of orchestrating operations against Israel, is employed by Najee Technology, a private contracting company linked to Iran's Islamic Revolutionary Guard Corps (IRGC). 

Kenin underlined the possible consequences of Rashim's breach, claiming that Lord Nemesis might have exploited the compromised email system to target Rashim's customers, giving the phishing emails a veneer of authenticity.

Although solid proof is missing, the timing and context of events indicate a possible coordination between the IRGC and MOIS to cause serious harm to Israeli entities.

Notably, the attacks leverage a collection of domains and IP addresses known as DarkBeatC2 to manage compromised endpoints. This is done using PowerShell code that creates communication with the C2 server after initial access. 

According to independent research by Palo Alto Networks Unit 42, MuddyWater used the Windows Registry's AutodialDLL function to sideload a malicious DLL and make connections with DarkBeatC2 domains.

This method entails creating persistence via a scheduled task that uses PowerShell to exploit the AutodialDLL registry entry and load the DLL for the C2 framework. MuddyWater's other approaches include sending a first-stage payload via spear-phishing emails and using DLL side-loading to execute malicious libraries. 

Upon successful communication, the infected machine receives PowerShell responses and downloads two further PowerShell scripts from the server. One script reads the contents of a file called "C:\ProgramData\SysInt.log" and sends them to the C2 server via an HTTP POST request, while the second script polls the server on a regular basis for new payloads. The particular nature of the subsequent payload is unknown, but Kenin emphasised that PowerShell remains critical to MuddyWater's operations.

Hackers Employ Malicious PDF Files To Kickstart Infection Chain

 

Fine wine is a cultural trait that Europeans are renowned for, but attackers behind a recent threat campaign have exploited this to their advantage. By luring European Union (EU) diplomats with a fake wine-tasting event, the cyber operation aimed to deliver a unique backdoor. 

In a blog post published on February 27, researchers at Zscaler's ThreatLabz reported that they had found the campaign, which especially targeted officials from EU nations with diplomatic posts in India. The actor, dubbed "SpikedWine," used a PDF file in emails that pretended to be an invitation letter from India's embassy, inviting diplomats to a wine-tasting event on February 2. 

"We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack," Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay explained in the post.

The campaign's payload is a backdoor known as "WineLoader," which has a modular design and uses tactics designed to avoid detection. These include re-encryption and zeroing out memory buffers, which serve to safeguard sensitive data in memory while evading memory forensics tools, the researchers stated. 

SpikedWine employed compromised websites for command-and-control (C2) at different phases of the attack chain, which started with a victim clicking on a link in the PDF and ended with the modular distribution of WineLoader. Overall, the cyber attackers exhibited a high degree of expertise, both in the creative design of the socially engineered campaign and in the delivery of the malware. 

Zscaler ThreatLabz found the PDF file, which was uploaded to VirusTotal from Latvia on January 30. The attackers meticulously built the contents to imitate India's ambassador, and the invitation contains a malicious link to a false questionnaire that must be completed in order to participate. 

Clicking on the link takes users to a hacked site where they can download a zip archive containing a file named "wine.hta." The downloaded file contains obfuscated JavaScript code that triggers the next stage of the attack. 

Eventually, the file runs sqlwriter.exe from the directory C:\Windows\Tasks\ to initiate the WineLoader backdoor infection chain by loading a malicious DLL called vcruntime140.dll. This, in turn, calls an exported method set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before running it. 

Protection and detection 

Zscaler ThreatLabz warned contacts at India's National Informatics Centre (NIC) about the attack's usage of Indian official themes. 

The C2 server used in the assault only replies to specific types of queries at specific times, therefore automated analysis systems cannot acquire C2 responses and modular payloads for detection and analysis, according to the researchers. To assist defenders, they offered a list of indicators of compromise (IoCs) and URLs related to the attack in their blog post. 

A multilayered cloud security platform should detect IoCs linked to WineLoader at multiple levels, including any files containing the threat name Win64.Downloader.WineLoader, the researchers concluded.