“The inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk,” Rapid7 notes.Additionally, the infrastructure used in the attack was previously linked to MuddyWater, an APT also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, and officiallylinked by the USto the Iranian Ministry of Intelligence and Security (MOIS).As part of the attack, the threat actor deployed a custom RAT dubbed Darkcomp (Game.exe), which supports command execution, file manipulation, and persistent shell execution.The backdoor is signed with a certificate linked to MuddyWater’s previous operations and uses a command-and-control (C&C) domain also associated with the Iranian threat actor. The social engineering tactic and the malware execution flow are also consistent with previously observed MuddyWater activity.“The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence. The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 notes.Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Additionally, the infrastructure used in the attack was previously linked to MuddyWater, an APT also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, and officiallylinked by the USto the Iranian Ministry of Intelligence and Security (MOIS).As part of the attack, the threat actor deployed a custom RAT dubbed Darkcomp (Game.exe), which supports command execution, file manipulation, and persistent shell execution.The backdoor is signed with a certificate linked to MuddyWater’s previous operations and uses a command-and-control (C&C) domain also associated with the Iranian threat actor. The social engineering tactic and the malware execution flow are also consistent with previously observed MuddyWater activity.“The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence. The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 notes.Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
As part of the attack, the threat actor deployed a custom RAT dubbed Darkcomp (Game.exe), which supports command execution, file manipulation, and persistent shell execution.The backdoor is signed with a certificate linked to MuddyWater’s previous operations and uses a command-and-control (C&C) domain also associated with the Iranian threat actor. The social engineering tactic and the malware execution flow are also consistent with previously observed MuddyWater activity.“The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence. The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 notes.Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
The backdoor is signed with a certificate linked to MuddyWater’s previous operations and uses a command-and-control (C&C) domain also associated with the Iranian threat actor. The social engineering tactic and the malware execution flow are also consistent with previously observed MuddyWater activity.“The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence. The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 notes.Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
“The convergence of technical and contextual evidence is consistent with attribution to MuddyWater with moderate confidence. The observed use of Chaos ransomware does not indicate a shift in the group’s underlying objectives, but rather reflects a consistent effort to obscure operational intent and complicate attribution,” Rapid7 notes.Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related:Iranian Cyber Group Handala Targets US Troops in BahrainRelated:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related:Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsRelated:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related:Iranian APT Hacked US Airport, Bank, Software CompanyRelated:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related:Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Ionut Arghire is an international correspondent for SecurityWeek.
Source: SecurityWeek
