Security News > 2022 > February > Iranian Hackers Using New Spying Malware That Abuses Telegram Messenger API
An Iranian geopolitical nexus threat actor has been uncovered deploying two new targeted malware that come with "Simple" backdoor functionalities as part of an intrusion against an unnamed Middle East government entity in November 2021.
The attacks are said to have been orchestrated via spear-phishing messages to gain initial access, followed by taking advantage of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment.
"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers noted, adding the security incident was quickly contained and remediated.
Subsequent phases of the attack involved escalating privileges, carrying out internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download additional tools and payloads on remote systems.
Also observed was a previously undocumented backdoor called STARWHALE, a Windows Script File that executes commands received commands from a hardcoded command-and-control server via HTTP. Another implant delivered during the course of the attack is GRAMDOOR, so named owing to its use of the Telegram API for its network communications with the attacker-controlled server in a bid to evade detection, once again highlighting the use of communication tools for facilitating exfiltration of data.
The findings also coincide with a new joint advisory from cybersecurity agencies from the U.K. and the U.S., accusing the MuddyWater group of espionage attacks targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.
News URL
https://thehackernews.com/2022/02/iranian-hackers-using-new-spying.html
Related news
- Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications (source)
- Iranian hackers pose as journalists to push backdoor malware (source)
- China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations (source)
- Vietnam-Based Hackers Steal Financial Data Across Asia with Malware (source)
- Iranian MuddyWater Hackers Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- Hackers hijack antivirus updates to drop GuptiMiner malware (source)
- North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms (source)
- North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign (source)
- Russian hackers use new Lunar malware to breach a European govt's agencies (source)