The Iran-based seed-worm hacker group is behind a new cyberespionage campaign targeting telecommunication and IT service providers in the Middle East, Pakistan, and other regions of Asia. In one case analysed by the researchers, attackers used a ZIP file named “Special discount program.zip,” which contained an installer for a remote desktop software application. The malicious archive was likely spread through spear-phishing messages.
Read more: Panasonic Confirms Data Breach After Hackers Gained Access to its Internal Network
The seed-worm hacker group relied on legitimate tools to infect the system
As per Symantec report, organisations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics.
While the attackers’ identity remains unconfirmed, there is some evidence to suggest a link to the Iranian Seed-worm hacker group. The targeting and tactics have been consistent for the last six months, linked to a group of hackers reportedly running state-sponsored hacking cells from within Iran.
The mechanism of attack
After breaching a targeted network, the attackers typically attempt to steal credentials and move laterally across the network. They appear to be particularly interested in Exchange Servers, deploying web shells onto them. In some cases, the attackers may be using compromised organisations as stepping stones to additional victims. Furthermore, some targets may have been compromised solely to perform supply-chain-type attacks on other organisations; in most attacks, the infection vector remains unknown.
The seed-worm hacker group in the past was engaged in widespread phishing campaigns against organisations in Asia and the Middle East in a mission to steal credentials and gain persistence in the target’s networks. The report concluded, “There is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP addresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.”
Source: Pro Pakistani
