Posted: 5 Min ReadThreat Intelligence

Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

Group remains highly active with more than 130 victims in 30 organizations hit since September 2018.

Symantec researchers have uncovered extensive insights into a cyber espionage group behind a recent series of cyber attacks designed to gather intelligence on targets spread primarily across the Middle East as well as in Europe and North America.

The group, which we call Seedworm (aka MuddyWater), has been operating since at least 2017, with its most recent activity observed in December 2018.

Analysts in our DeepSight Managed Adversary and Threat Intelligence (MATI) team have found a new backdoor, Backdoor.Powemuddy, new variants of Seedworm’s Powermud backdoor (aka POWERSTATS), a GitHub repository used by the group to store their scripts, as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network.

Tracking an Attack’s Footprints

In September 2018, we found evidence of Seedworm and the espionage group APT28 (aka Swallowtail, Fancy Bear), on a computer within the Brazil-based embassy of an oil-producing nation. Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.

We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network. We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded. DeepSight MATI customers can leverage these unique insights to combat emerging cyber threats.

Seedworm’s motivations are much like many cyber espionage groups that we observe—they seek to acquire actionable information about the targeted organizations and individuals. They accomplish this with a preference for speed and agility over operational security, which ultimately led to our identification of their key operational infrastructure.

Tactics and Tools

Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor’s interests. During the operations, the group used tools consistent with those leveraged during past intrusions including Powermud, a custom tool used by the Seedworm group, and customized PowerShell, LaZagne, and Crackmapexec scripts.

The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location. The Seedworm group is the only group known to use the Powermud backdoor.

After compromising a system, typically by installing Powermud or Powemuddy, Seedworm first runs a tool that steals passwords saved in users’ web browsers and email, demonstrating that access to the victim's email, social media, and chat accounts is one of their likely goals. Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group.

Shifting Tactics

Since its existence first came to light, we’ve seen Seedworm modify the way it operates. Since early 2017, they have continually updated their Powermud backdoor and other tools to avoid detection and to thwart security researchers analyzing the tools. They’ve also used GitHub to store malware and a handful of publicly available tools, which they then customize to carry out their work.

We have identified multiple online accounts that are likely associated with actors behind the Seedworm operations. The first finding was a public Github repository containing scripts that very closely match those observed in Seedworm operations. An additional link was then made to a persona on Twitter with similar profile data. This Twitter account follows numerous security researchers, including those who have written about the group in the past as well as developers who write the open-source tools they use.

These accounts are likely controlled by the Seedworm group. The Github repository contains a PowerShell script that has been run on victim hosts in activity attributed to Seedworm; there are also numerous Crackmapexec PowerShell commands that match victim host activity.

Choosing to rely on publicly available tools allows Seedworm to quickly update their operations by using code written by others and applying only small customizations. And they appear to adopt some of the most effective and capable tools, several of which—for these reasons—are also used by red team organizations.

Targets and Timeline

We analyzed data on 131 victims that were compromised by Seedworm’s Powermud backdoor from late September to mid-November 2018.

Figure 1. Powermud victims by location
Figure 1. Powermud victims by location

Observed Seedworm victims were located primarily in Pakistan and Turkey, but also in Russia, Saudi Arabia, Afghanistan, Jordan, and elsewhere. Additionally, the group compromised organizations in Europe and North America that have ties to the Middle East.

Figure 2. Middle East Powermud victims
Figure 2. Middle East Powermud victims

Additionally, during our analysis of Powermud victims, we were able to identify the probable industry sector for 80 of the 131 unique victims. The telecommunications and IT services sectors were the main targets. Entities in these sectors are often "enabling victims" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise. Successfully compromising victims in these two industries provides additional clues about the sophistication and skills of the Seedworm group.

Figure 3. Powermud victims by industry
Figure 3. Powermud victims by industry

The next most common group of victims was in the oil and gas sector. All 11 victims in this group belong to one Russian firm that is active in the Middle East. Only one of these 11 victims was physically located in Russia; the rest were spread out across North America, the Middle East, Africa, and Asia.

Universities and embassies were the next most common targets. The universities were in the Middle East and the embassies were primarily based in Europe representing Middle East countries. Two major non-governmental organizations (NGOs) were also compromised; we identified seven victims who worked within these global public health organizations.

Symantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools and techniques..

Protection

The following protections are in place to protect customers against Seedworm attacks:

File-based protection

Network-based protection


Indicators of Compromise

The following indicators are specific to Seedworm:

Network

  • 104.237.233.60 IP used for reverse shell C&C
  • 78.129.222.56 Powemuddy/Powermud delivery IP
  • 78.129.139.148 Powemuddy C&C
  • 31.171.154.67 Powemuddy C&C
  • 46.99.148.96 former Powemudddy C&C
  • 79.106.224.203 Powemuddy C&C
  • 185.34.16.82 Powemuddy C&C

File names

MD5File nameComments
f5dee1f9cd47dc7bae468da9732c862e lisfonservice.exe Powemuddy/Powermud
2ae299e3693518104bf194d6257d5be6 lisfonservice.exe Powemuddy/Powermud
54982c616098f6c6fbc48703922f15f4 Lisfon.exe Powemuddy/Powermud
fa200e715e856550c76f729604ebaf57 lisfon.exe Powemuddy/Powermud
e75443a5e825f69c75380b6dc76c6b50 TestService.exe Powemuddy/Powermud
8e3a42371d7af2c7d0bb4036c9fb0fe3 LisfonService.exe Powemuddy/Powermud
f041f96ed1abdcc84157488aa51b62af Win7LisfonService.exe Powemuddy/Powermud
e6e7661efb60b9aea7969a30e17ace19 svchosts.exe Powemuddy
a750e2885ed3c294de148864723f73e3 svchosts.exe Powemuddy
e2ed0be977ab9e50055337ec8eb0ddf4 la.exe LaZagne
989e9dcc2182e2b5903b9acea03be11d cr.exe Crackmapexec
488723b8e56dbaac8ccdc79499037d5f dopass.exe, dodo.exe Browser credential theft tool
837eaad1187fe9fbf91f9bc7c054f5d9 dopass.exe Browser credential theft tool
ddba713c20c232bcd60daf0ffabeffb8 nt.exe, rc.exe Browser credential theft tool
8e94d1cb1ec6ea5b2c29353eb7bb5787 nt.exe, rc.exe Browser credential theft tool
f8902df9fe49a04f101d0bfb41a33028 losi.exe Browser credential theft tool
9bea3eb68ea0c215a17fa69f632d9020 gg.exe, dadi.exe, losi.exe Browser credential theft tool
35c310a1f88e41e777bc2ac4bc5284d9 osport.exe Reverse shell

About the Author

Symantec DeepSight Adversary Intelligence Team

Managed Adversary and Threat Intelligence (MATI)

Symantec’s managed adversary and threat intelligence (MATI) team of intelligence analysts & researchers are dedicated to understanding the adversary ecosystem and providing insightful customer reports detailing their plans, tactics, tools, and campaigns.