Security News > 2020 > October > Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies

According to recent reports from ClearSky and Symantec, MuddyWater recently added to its arsenal a downloader called PowGoop, which earlier this year was used in attacks employing the Thanos ransomware against an organization in the Middle East.

"While we cannot confirm the connection, we believe the actors deploying the Thanos ransomware at the Middle Eastern state-run organization also used a downloader that we call PowGoop. The actors would use the PowGoop downloader to reach out to a remote server to download and execute additional PowerShell scripts," Palo Alto Networks noted in a September 4 report.

"On the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also deployed against several of the organizations attacked by Seedworm in recent months," Symantec says.

Symantec's analysis revealed the use of the Remadmin remote code execution tool to deploy PowGoop, and also led to the identification of artefacts suggesting that PowGoop was masquerading as a Google tool and noticed the use of SSF and Chisel.

"Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop. This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos," Symantec says.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/8JxcZWzGsc4/destructive-malware-spotted-recent-attacks-launched-iranian-cyberspies