Iranian state hacker group linked to ransomware deployments

Amidst rising tensions between Israel and Iran, security researchers fear new escalation.
Written by Catalin Cimpanu, Contributor

Security researchers said they found clues linking recent attacks with the Thanos ransomware to a group of Iranian state-sponsored hackers.

While investigating security incidents at several Israeli prominent organizations, security researchers from ClearSky and Profero said they linked the intrusions to MuddyWater, a known Iranian state-sponsored hacking group.

The intrusions followed similar patterns, with two tactics being recorded.

MuddyWater would use phishing emails carrying malicious Excel or PDF documents that, when opened, would download and install a malware strain from the hackers' servers.

In the second scenario, MuddyWater would scan the internet for unpatched Microsoft Exchange email servers, exploit the CVE-2020-0688 vulnerability, install a web shell on the server, and then download and install the same malware seen before.

But ClearSky says this second-stage malware wasn't just any piece of malicious code, but a strain that has been seen and documented only once before.

Named PowGoop, this PowerShell-based threat has been seen only once in early September and was used to install the Thanos ransomware, according to a report from fellow security firm Palo Alto Networks. Other Thanos (or Hakbit) ransomware attacks have used other malware strains to deploy the ransomware, namely the ubiquitous GuLoader, a completely different malware strain, written in Visual Basic 6.0.

In a report shared with ZDNet today, ClearSky says they stopped the intrusions before attackers could have done any harm, but the company is now raising a sign of alarm in regards to all past Thanos ransomware incidents.

In an interview this week, ClearSky security researchers told ZDNet they believe MuddyWater would have tried to install the Thanos ransomware as a means to hide their attacks and destroy evidence of intrusions by encrypting files on hacked networks.

The tactic of deploying ransomware to hide intrusions has been used before by other state-sponsored operations and has been well documented.

Past Thanos ransomware attacks now need to be revisited and searched for evidence in a new light. Was the attack a cybercrime group, or was it Iranian hackers?

The question needs to be asked because Thanos, which is offered as a Ransomware-as-a-Service, is rented on Russian-speaking hacker forums and is believed to be employed by multiple threat groups.

But recent versions of the Thanos ransomware also come with a component that rewrites the computer's MBR and prevents systems from booting. These types of attacks can be extremely disruptive, as systems could be temporarily bricked and might need to be restored from scratch.

ClearSky researcher Ohad Zaidenberg told ZDNet that he believes MuddyWater dipping its toe into ransomware deployments might also be related to the recent mounting political tensions and back-and-forth cyberattacks between Iran and Israel.

MuddyWater has a long history of hacks, but most past operations were geared towards very stealthy intelligence collection. Ransomware, in any form, is not stealthy and can be very destructive, especially when threat actors chose not to honor ransom payments and deliver decryption keys, something that Zaidenberg says could be a possibility, especially when viewed in the current political context.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards