Researchers at Cybereason have identified two separate campaigns being conducted by Iranian threat groups. The first, being run by a threat group known as Phosphorous, was seen conducting cyber espionage campaigns against organizations around the world. At the end of the campaign, the group uses ransomware in an effort to embarrass the victim and cover their tracks. These campaigns originate with a new trojan malware, which has been named Powerless Backdoor, and allows attackers to conduct activity with a low chance of being caught. Researchers linked the group to the Momento ransomware by analyzing IP addresses throughout attacks and seeing an overlap of and IP address that is also used as the Command-and-Control (C2) server for the ransomware.
Cybereason also found a link to a secondary campaign being run by the Moses Staff threat group also backed by Iran. This campaign is being conducted with another backdoor called StrifeWater, which is designed to remove itself from infected machines after being replaced by other tools. The main goal of Moses Staff is also cyber espionage campaigns that target various geographical locations throughout the world based on geopolitical situations and to advance Iran’s goals. This attack will also attempt to use the cover of ransomware.
In both cases, the ransomware deployed at the end of the attacks did not have a system set up for victims to reach out and attempt to pay a ransom, and there are no plans for releasing a decryption key. These groups rely heavily on vulnerabilities within software that has been neglected to be updated. It is recommended to update and patch all software and devices as soon as possible when patches are released. Companies should also work with cyber security professionals to perform proactive searches within systems looking for any intrusions that may be active on a network. Binary Defense’s Threat Hunting service is an excellent asset to assist with these types of proactive hunting exercises.