top of page

Cybereason identifies new malware variants used in global Iranian espionage campaigns

Newly discovered StrifeWater RAT and PowerLess Backdoor highlight recent uptick in Iranian cyber offensive operations

BIGSTOCK/Copyright: karenroach
BIGSTOCK/Copyright: karenroach

XDR firm Cybereason published two new reports on Tuesday, in which it reviews previously unidentified malware variants being leveraged in two separate Iranian state-sponsored cyberespionage operations, which target a wide range of organizations in multiple global regions.

Deconstructive ransomware that causes operational disruptions

The first report addresses the discovery of a previously undocumented remote access trojan (RAT), which they dubbed StrifeWater and attributed to Moses Staff, a threat group considered to be Iranian or linked to Iran.

“Moses Staff has been observed targeting organizations in the US, Israel, India, Germany, Italy, United Arab Emirates, Chile and Turkey in order to further the geopolitical goals of the Iranian regime,” write the company’s Nocturnus Team cybersecurity researchers.

“After infiltrating an organization and exfiltrating sensitive data, the attackers deploy destructive ransomware to cause operational disruptions and make the task of forensic investigation more difficult.”

The StrifeWater RAT capabilities include listing system files, executing system commands, taking screen captures, creating persistence and downloading updates and auxiliary modules.

The researchers believe that Moses Staff employs ransomware post-exfiltration–not for financial gain, but to disrupt operations, obfuscate espionage activity, and to inflict damage to systems to advance Iran’s geopolitical goals. This is the same conclusion that Check Point researchers have reached in late 2021.

The blurred line between nation-state and cybercrime threat actors

The second report has to do with the prolific Phosphorus threat group (other names include Charming Kitten, Newcaster, Magic Hound and APT35). The Nocturnus team discovered a new set of tools they believe were developed by the group, including a novel PowerShell-based backdoor dubbed PowerLess.

Cybereason also observed an IP address used in the attacks that was previously identified as part of the command and control (C2) for the recently documented Memento ransomware.

Phosphorus is known for attacking medical and academic research organizations, human rights activists, the media sector, for exploiting known Microsoft Exchange Server vulnerabilities and for attempting to interfere with US elections. It has been observed exploiting vulnerabilities in Microsoft Exchange (ProxyShell) and Log4j (Log4Shell).

“These campaigns highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks,” said Cybereason co-founder and CEO, Lior Div.

Lior Div, photo courtesy Cybereason
Lior Div, photo courtesy Cybereason

“For Defenders, there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations. That’s why it is crucial for us as Defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats.”

Cybereason’s research closely follows an announcement by U.S. Cyber Command’s Cyber National Mission Force (CNMF) regarding multiple open-source tools being abused by Iranian threat actors. The Nocturnus team has similarly observed those tools abused in both of the Iranian attack campaigns investigated.

Cybereason will participate in Cybertech Global Tel Aviv, which will be held (in person!) between March 1–3, 2022. For additional information, please visit the event's official website.

53 views0 comments
bottom of page