Researchers at Cybereason have identified two separate campaigns being conducted by Iranian threat groups. The first, being run by a threat group known as Phosphorous, was seen conducting cyber espionage campaigns against organizations around the world. At the end of the campaign, the group uses ransomware in an effort to embarrass the victim and cover their tracks. These campaigns originate with a new trojan malware, which has been named Powerless Backdoor, and allows attackers to conduct activity with a low chance of being caught. Researchers linked the group to the Momento ransomware by analyzing IP addresses throughout attacks and seeing an overlap of and IP address that is also used as the Command-and-Control (C2) server for the ransomware.
Cybereason also found a link to a secondary campaign being run by the Moses Staff threat group also backed by Iran. This campaign is being conducted with another backdoor called StrifeWater, which is designed to remove itself from infected machines after being replaced by other tools. The main goal of Moses Staff is also cyber espionage campaigns that target various geographical locations throughout the world based on geopolitical situations and to advance Iran’s goals. This attack will also attempt to use the cover of ransomware.