Symantec warns of Seedworm Iranian hackers targeting telecoms organizations in North and East Africa

Symantec researchers have revealed that the Iranian espionage group Seedworm, also known as Muddywater, has been actively targeting organizations within the telecommunications sector in Egypt, Sudan, and Tanzania. The malicious activity took place last month using various tools. Notably, the attackers made use of the recently discovered and documented MuddyC2Go infrastructure, as uncovered by Deep Instinct.

Researchers on Symantec’s Threat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity it investigated. The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as a custom keylogging tool, and other publicly available and living-off-the-land tools.

Seedworm has been active since at least 2017 and has targeted organizations in many countries, though it is most strongly associated with attacks on organizations in the Middle East. It has been publicly stated that Seedworm is a cyberespionage group that is believed to be a subordinate part of Iran’s Ministry of Intelligence and Security (MOIS).

In the November campaign, researchers observed that most of the activity occurred on one telecommunications organization. The first evidence of malicious activity was some PowerShell executions related to the MuddyC2Go backdoor.

“A MuddyC2Go launcher named ‘vcruntime140[dot]dll’ was saved in the folder ‘csidl_common_appdata\javax,’ which seems to have been sideloaded by jabswitch[dot]exe. Jabswitch[dot]exe is a legitimate Java Platform SE 8 executable,” Symantec researchers wrote in a Tuesday blog post. “The MuddyC2Go launcher executed PowerShell code to connect to its command-and-control (C&C) server. It appears that the variables at the beginning of the code are there for the purposes of attempting to bypass detection by security software, as they are unused and not relevant.”

In research released last month, Deep Instinct observed a couple of changes in recent MuddyWater activity. These include that archives are now password protected and done to evade email security solutions that scan files inside archives without a password. Also, instead of using a remote administration tool where an operator executes a PowerShell script to connect to MuddyWater’s C2, a new executable is now being sent. This executable contains an embedded PowerShell script that automatically connects to MuddyWater’s C2, eliminating the need for manual execution by the operator.

The Symantec team identified that right after this execution, attackers launched the MuddyC2Go malware using a scheduled task that had previously been created. “The attackers also used some typical commands related to the Impacket WMIExec hacktool. The SimpleHelp remote access tool was also leveraged, connecting to the 146[dot]70[dot]124[dot]102 C&C server. 

Further PowerShell stager execution also occurred, while the attacker also executed the Revsocks tool, the researchers identified. “The attackers also used a second legitimate remote access tool, AnyDesk, which was deployed on the same computer as Revsocks and SimpleHelp, while PowerShell executions related to MuddyC2Go also occurred on the same machine.”

Symantec noted that this organization is believed to have previously been infiltrated by Seedworm earlier in 2023. The primary activity of note during that intrusion was the extensive use of SimpleHelp to carry out a variety of activities, including launching PowerShell, launching a proxy tool, dumping SAM hives, using WMI to get drive info, installing the JumpCloud remote access software, and delivering proxy tools, a suspected LSASS dump tool, and a port scanner.

During that intrusion, it’s believed the attackers used WMI to launch the SimpleHelp installer on the victim’s network. At the time, this activity couldn’t be definitively linked to Seedworm, but this subsequent activity appears to show that the earlier activity was carried out by the same group of attackers.

“In another telecommunications and media company targeted by the attackers, multiple incidents of SimpleHelp were used to connect to known Seedworm infrastructure,” Symantec detailed. “A custom build of the Venom Proxy hacktool was also executed on this network, as well as the new custom keylogger used by the attackers in this activity.”

In the third organization targeted, Venom Proxy was also used, in addition to AnyDesk and suspicious Windows Scripting Files (WSF) that have been associated with Seedworm activity in the past.

The team said that “the most interesting part of the toolset used in this activity is probably the presence of the MuddyC2Go launcher, which was sideloaded by jabswitch[dot]exe.”

Symantec has identified that Seedworm has shown a consistent interest in telecommunications organizations, which is a common focus for many cyberespionage groups. However, its strong focus on African organizations in this campaign is notable as, while it has been known to target organizations in Africa in the past, it does generally primarily focus on organizations in countries in the Middle East. That one of the victim organizations in this campaign is based in Egypt is also of note given Egypt’s proximity to Israel, a frequent target of Seedworm. 

“Seedworm appears to remain focused on using a wide array of living-off-the-land and publicly available tools in its attack chains, no doubt in an effort to remain undetected on victim networks for as long as possible,” the researchers revealed. “However, its recent more wide adoption of new C&C infrastructure in the form of MuddyC2Go is notable and shows that the group continues to innovate and develop its toolset when required in order to keep its activity under the radar.” 

While the group uses a lot of living-off-the-land and publicly available tools, it is also capable of developing its custom tools, such as the custom build of Venom Proxy and the custom keylogger used in this campaign. The group still makes heavy use of PowerShell and PowerShell-related tools and scripts, underlining the need for organizations to be aware of suspicious use of PowerShell on their networks. 

Earlier this week, Iran accused a hacking group with alleged ties to Israel of carrying out a cyber attack that resulted in service disruptions at petrol stations throughout the country on Monday. The Israeli hacker group Gonjeshke Darande or Predatory Sparrow also claimed responsibility for hacking Iran’s gas stations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.