An Iranian state-sponsored hacking group known as MuddyWater is found to be deploying ransomware to hide intrusions in its recent attacks, according to a report. Researchers from ClearSky and Profero - two cybersecurity firms have released a report linking a recent ransomware attack campaign with the MuddyWater group. The attack campaign was identified in September this year and has been named ‘Operation Quicksand’. According to the report from ClearSky and Profero, ‘Operation Quicksand’ was designed to target many prominent organisations in Israel and around the world.
Linking Operation Quicksand with MuddyWater, the report said that during the campaign, the group tried to install a variant of ‘PowGoop’ payload disguises that loads a variant of Thanos ransomware on an infected system. The ‘PowGoop’ payload disguises as the Google update dll to release Thanos ransomware on infected machines. The report has assessed MuddyWater’s attempts to employ destructive ransomware attacks via disguised ransomwares. “In ‘Operation Quicksand’ we uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organisations in Israel and in other countries around the world," the report said.
It further went on to identify two primary attack vectors. The first vector required sending a malicious decoy document (PDF or Excel) over phishing emails. The document would download malicious files including the “PowGoop" payload on the infected system.
The second attack vector involves the exploitation of the CVE-2020-0688 vulnerability in unpatched Microsoft Exchange software. By exploiting the CVE-2020-0688 vulnerability, the attacker will deploy the same malicious payload via an aspx file (WebShell). The attacker will then create an internal socket tunneling between the compromised machines in a network - allowing all the infected machines to move data from one network to another.
A report in Cyware Social says that the Iranian hacker group has raised its level of sophistication in the past few years. The group has gone from collecting intelligence in stealth, to more disruptive and destructive ransomware attacks.