Seedworm, a highly active threat group that is linked to the Iranian government, has been targeting organizations in the Middle East. Many of the attacks linked to Seedworm have made use of the malware known as PowGoop (Downloader.Covic), a newly discovered tool. The relation in targets lead researchers at Symantec to look further and find a connection between the threat actor and the tool. Symantec stated in their research that they can only confirm at medium confidence that the group is linked to the downloader. Attacks were discovered in countries including Turkey, Kuwait, the United Arab Emirates, and Georgia. The espionage group is using their backdoor tools to steal credentials from organizations and create tunnels back to their infrastructure using the open source tools Secure Sockets Funnel (SSF) and Chisel. Other research has shown a loose connection from the threat actor to the ransomware variant known as Thanos. Thanos is an aggressive ransomware the encrypts victim files as well as attempt to overwrite the Master Boot Record (MBR) of the infected computer.
Seedworm has been one of the most aggressive and active Iranian threat actors in the past month. The connection between the threat actor and PowGoop has not been 100% confirmed. Any organization that finds evidence of PowGoop, unauthorized SSF or Chisel on their networks should perform a thorough investigation. Binary Defense’s MDR service is a great first step in identifying attacks such as these and mitigating them before they can grow.
IOC’s and full research from Symantec can be found here: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east