Symantec researchers have uncovered extensive insights into a cyber espionage group behind a recent series of cyber attacks designed to gather intelligence on targets spread primarily across the Middle East as well as in Europe and North America.
The group, which we call Seedworm (aka MuddyWater), has been operating since at least 2017, with its most recent activity observed in December 2018.
Analysts in our DeepSight Managed Adversary and Threat Intelligence (MATI) team have found a new backdoor, Backdoor.Powemuddy, new variants of Seedworm’s Powermud backdoor (aka POWERSTATS), a GitHub repository used by the group to store their scripts, as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network.
Tracking an Attack’s Footprints
In September 2018, we found evidence of Seedworm and the espionage group APT28 (aka Swallowtail, Fancy Bear), on a computer within the Brazil-based embassy of an oil-producing nation. Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.
We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network. We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded. DeepSight MATI customers can leverage these unique insights to combat emerging cyber threats.
Seedworm’s motivations are much like many cyber espionage groups that we observe—they seek to acquire actionable information about the targeted organizations and individuals. They accomplish this with a preference for speed and agility over operational security, which ultimately led to our identification of their key operational infrastructure.
Tactics and Tools
Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor’s interests. During the operations, the group used tools consistent with those leveraged during past intrusions including Powermud, a custom tool used by the Seedworm group, and customized PowerShell, LaZagne, and Crackmapexec scripts.
The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location. The Seedworm group is the only group known to use the Powermud backdoor.
After compromising a system, typically by installing Powermud or Powemuddy, Seedworm first runs a tool that steals passwords saved in users’ web browsers and email, demonstrating that access to the victim's email, social media, and chat accounts is one of their likely goals. Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group.
Since its existence first came to light, we’ve seen Seedworm modify the way it operates. Since early 2017, they have continually updated their Powermud backdoor and other tools to avoid detection and to thwart security researchers analyzing the tools. They’ve also used GitHub to store malware and a handful of publicly available tools, which they then customize to carry out their work.
We have identified multiple online accounts that are likely associated with actors behind the Seedworm operations. The first finding was a public Github repository containing scripts that very closely match those observed in Seedworm operations. An additional link was then made to a persona on Twitter with similar profile data. This Twitter account follows numerous security researchers, including those who have written about the group in the past as well as developers who write the open-source tools they use.
These accounts are likely controlled by the Seedworm group. The Github repository contains a PowerShell script that has been run on victim hosts in activity attributed to Seedworm; there are also numerous Crackmapexec PowerShell commands that match victim host activity.
Choosing to rely on publicly available tools allows Seedworm to quickly update their operations by using code written by others and applying only small customizations. And they appear to adopt some of the most effective and capable tools, several of which—for these reasons—are also used by red team organizations.
Targets and Timeline
We analyzed data on 131 victims that were compromised by Seedworm’s Powermud backdoor from late September to mid-November 2018.
Observed Seedworm victims were located primarily in Pakistan and Turkey, but also in Russia, Saudi Arabia, Afghanistan, Jordan, and elsewhere. Additionally, the group compromised organizations in Europe and North America that have ties to the Middle East.
Additionally, during our analysis of Powermud victims, we were able to identify the probable industry sector for 80 of the 131 unique victims. The telecommunications and IT services sectors were the main targets. Entities in these sectors are often "enabling victims" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise. Successfully compromising victims in these two industries provides additional clues about the sophistication and skills of the Seedworm group.
The next most common group of victims was in the oil and gas sector. All 11 victims in this group belong to one Russian firm that is active in the Middle East. Only one of these 11 victims was physically located in Russia; the rest were spread out across North America, the Middle East, Africa, and Asia.
Universities and embassies were the next most common targets. The universities were in the Middle East and the embassies were primarily based in Europe representing Middle East countries. Two major non-governmental organizations (NGOs) were also compromised; we identified seven victims who worked within these global public health organizations.
Symantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools and techniques..
The following protections are in place to protect customers against Seedworm attacks:
- System Infected: W97M.Downloader Activity 44
- Web Attack: Malicious Shell Script Download 4
- System Infected: Trojan.Backdoor Activity 243
Indicators of Compromise
The following indicators are specific to Seedworm:
- 188.8.131.52 IP used for reverse shell C&C
- 184.108.40.206 Powemuddy/Powermud delivery IP
- 220.127.116.11 Powemuddy C&C
- 18.104.22.168 Powemuddy C&C
- 22.214.171.124 former Powemudddy C&C
- 126.96.36.199 Powemuddy C&C
- 188.8.131.52 Powemuddy C&C
|488723b8e56dbaac8ccdc79499037d5f||dopass.exe, dodo.exe||Browser credential theft tool|
|837eaad1187fe9fbf91f9bc7c054f5d9||dopass.exe||Browser credential theft tool|
|ddba713c20c232bcd60daf0ffabeffb8||nt.exe, rc.exe||Browser credential theft tool|
|8e94d1cb1ec6ea5b2c29353eb7bb5787||nt.exe, rc.exe||Browser credential theft tool|
|f8902df9fe49a04f101d0bfb41a33028||losi.exe||Browser credential theft tool|
|9bea3eb68ea0c215a17fa69f632d9020||gg.exe, dadi.exe, losi.exe||Browser credential theft tool|