At a glance.
- Cybercriminals react to REvil arrests.
- Iran's Moses Staff attempts to damage Israeli companies.
- MuddyWater targets Turkey.
Cybercriminals react to REvil arrests.
Digital Shadows notes that the arrest of several alleged REvil members by the Russian government appears to have shaken Russian cybercriminals' confidence that they won't be prosecuted so long as they target victims outside of Russia and former CIS countries. Criminals have been discussing the possibility of prison time on underground forums, mulling whether it would be better to serve time in Russia or the US. Some crooks believe that prison in Russia is harsher, but that their terms will be shorter than if they're extradited to the US (and some users pointed out that if they're arrested, they may not have a choice where they end up in prison). Others believe that they won't be arrested in Russia if they continue operating as usual. Still others recommend improved operational security, so that they won't end up on Russian law enforcement's radar in the first place.
In any case, Digital Shadows concludes that "[t]he recent arrests have certainly got users worried."
Iran's Moses Staff attempts to damage Israeli companies.
Researchers at Cybereason are tracking an Iranian threat actor called "Moses Staff" that's primarily targeting Israeli companies with a previously unobserved Trojan dubbed "StrifeWater." The threat actor then steals and leaks sensitive data, and deploys ransomware for purely destructive purposes:
"The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies by leaking sensitive, stolen data. Aside from Israel, which appears to be the main target of the group, Moses Staff was observed targeting organizations in other countries, including Italy, India, Germany, Chile, Turkey, UAE, and the US. The group targets a variety of industries, among them Government, Finance, Travel, Energy, Manufacturing, and the Utilities industry....Normally, once the group infiltrates an organization and steals sensitive data, they deploy ransomware to encrypt the infected machines. Unlike financially motivated cybercrime ransomware groups who encrypt the files as leverage for ransom payment, the encryption of the files in the Moses Staff attacks serves two purposes: inflicting damages by disrupting critical business operations, and covering the attackers’ tracks. The end goal for Moses Staff appears to be more politically-motivated rather than financial. Analysis of the group’s conduct and operations suggests that Moses Staff leverages cyber espionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear."
Cybereason has also published research on a new PowerShell backdoor being used by Phosphorous, another Iranian threat actor (also known as Charming Kitten or APT35). The backdoor, called "PowerLess," is being used in cyberespionage attacks. The researchers also discovered ties between Phosphorous and the previously unattributed Memento ransomware.
MuddyWater targets Turkey.
Cisco Talos says the Iranian threat actor MuddyWater has been conducting two separate cyberespionage campaigns against government entities in Turkey. US Cyber Command last month attributed MuddyWater to Iran's Ministry of Intelligence and Security. Cisco Talos says the threat actor is using spearphishing emails posing as the Turkish Health and Interior Ministries:
"Talos recently observed a campaign operating as recently as November 2021, which we attribute with high confidence to the MuddyWater group, targeting Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. This campaign consisted of the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", which would be delivered to the victims in the form of PDF documents with embedded links.
"These maldocs, hosted on attacker-controlled or public media-sharing websites are downloaded by malicious PDFs meant to trick the targets into downloading and opening the maldocs. Based on historic evidence of similar campaigns conducted by MuddyWater, it is highly likely that these PDFs served as the initial entry points to the attacks and were distributed via email messages as part of spear-phishing efforts conducted by the group."