Security News > 2022 > February > Iranian Hackers Using New Spying Malware That Abuses Telegram Messenger API
An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "Simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021.
The attacks are said to have been orchestrated via spear-phishing messages to gain initial access, followed by taking advantage of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment.
"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers noted, adding the security incident was quickly contained and remediated.
Subsequent phases of the attack involved escalating privileges, carrying out internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads on remote systems.
Also observed was a previously undocumented backdoor called STARWHALE, a Windows Script File that executes commands received commands from a hardcoded command-and-control server via HTTP. Another implant delivered during the course of the attack is GRAMDOOR, so named owing to its use of the Telegram API for its network communications with the attacker-controlled server in a bid to evade detection, once again highlighting the use of communication tools for facilitating exfiltration of data.
The findings also coincide with a new joint advisory from cybersecurity agencies from the U.K. and the U.S., accusing the MuddyWater group of espionage attacks targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.
News URL
https://thehackernews.com/2022/02/iranian-hackers-using-new-spying.html
Related news
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)