These hackers are hitting victims with ransomware in an attempt to cover their tracks

Cyber-espionage campaigns linked to the Iranian government are using new malware to secretly snoop around networks, and then drop malware to hide any trace of activity.
Written by Danny Palmer, Senior Writer

Iranian hackers are targeting a range of organisations around the world in campaigns that use previously unidentified malware to conduct cyber-espionage actions and steal data from victims – and in some cases, the state-backed attackers are also launching ransomware in a dual effort to embarrass victims and cover their tracks. 

The two separate campaigns have been detailed by cybersecurity researchers at Cybereason, who've attributed the activity to an Iranian hacking group they track as Phosphorusalso known as APT35 and Charming Kitten – along with another Iranian-linked cyber operation, dubbed Moses Staff.

The attacks by Phosphorus have a more 'traditional' approach to cyber espionage, in that they're designed to steal information and conduct operations that run in the interests of Tehran.  

SEE: A winning strategy for cybersecurity (ZDNet special report) 

The group is suspected of being behind multiple espionage campaigns against organisations and individuals in the United States, Europe and the Middle East, as well as attempts to interfere with the US presidential elections.

Now Phosphorus has added a new tool to their arsenal, trojan malware, which researchers have called PowerLess Backdoor, that allows attackers to conduct activity with little chance of being detected.  

Once installed on a compromised machine, PowerLess allows attackers to download additional payloads, and steal information, while a keylogging tool sends all the keystrokes entered by the user direct to the attacker. 

Analysis of PowerLess backdoor campaigns appear to link attacks to tools, techniques and motivations associated with Phosphorus campaigns. In addition to this, analysis of the activity seems to link the Phosphorus threat group to ransomware attacks.  

One of the IP addresses being used in the campaigns also serves as a command and control server for the recently discovered Momento ransomware, leading researchers to suggest there could be a link between the ransomware attacks and state-backed activity. 

"A connection between Phosphorus and the Memento ransomware was also found through mutual TTP patterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware and the Phosphorus group," said the report. 

Cybereason also found a link between a second Iranian hacking operation, named Moses Staff, and additional ransomware attacks, which are deployed with the aid of another newly identified trojan backdoor, dubbed StrifeWater.  

The trojan is used for the initial phases of the attack, before it removes itself after being replaced with other tools. The way StrifeWater removes itself relatively early in the infection process is the reason it hasn't been detailed previously. 

Like Phosphorous, the key aim of Moses Staff is to conduct espionage and steal information "to advance Iran's geopolitical goals" with victims all over the world, including the US, Israel, Germany, Chile, Turkey, and the United Arab Emirates.  

But while the whole point of espionage is usually to stay under the radar, Moses Staff attacks actively deploy a form of ransomware after they've gathered what they need. 

"It's like a scorched earth policy," Assaf Dahan, head of threat research at the Cybereason Nocturnus Team, told ZDNet.

The malware attacks in a similar way to ransomware, in that files are encrypted and stolen, but unlike regular ransomware operations, there isn't a ransom demand – the attacks are launched purely with damage in mind. However, the similarity in design to ransomware could draw victims away from suspecting an espionage campaign as they rush to combat what looks like a standard ransomware attack.  

SEE: Why Iranian hacking operations could be a threat to your network

But while it looks like ransomware, those behind it haven't built a backend for accepting a ransom payment, let alone supplying an encryption key. 

"Their main goal is to disrupt business and disseminate fear," said Dahan, describing how Moses Staff attacks, while state-sponsored, also appear to take cues from hacktivism campaigns, with custom graphics and boasts about hacking victims. 

"They tried to appear as activists group operating on behalf of Iranian state interest," he explained, adding: "They have a website and a logo and everything, they say 'hey, it's us' and they're quite verbose and vocal about their mission."

It's thought that both campaigns remain active, but there are actions that organisations can take in an effort to avoid becoming a victim. Key among these is patching software and systems, because the attacks are known to exploit publicly available exploits, including the ProxyShell vulnerabilities in Microsoft Exchange, as well Log4j vulnerabilities. By applying security updates as soon as possible, it reduces the chances of any attackers having time to exploit disclosed vulnerabilities. 

It's also recommended that information security staff and network administrators are proactive in looking for threats, by not only fully understanding their own network and being able to detect if something might be suspicious, but also to keep up to date with intelligence of the latest potential threats so they know what to look for. 

"Be proactive. Don't just wait for an alert to pop because, by the time it pops, it could be too late," said Dahan.


Editorial standards