"The software company is a supplier to the defense and aerospace industries, among others, and has a presence in Israel, with the company's Israel operation seeming to be the target in this activity. The attacks targeting the software company, as well as a U.S. bank and a Canadian non-profit, have been found to pave the way for a previously unknown backdoor dubbed Dindoor, which leverages the Deno JavaScript runtime for execution."
"Also found in the networks of a U.S. airport and a non-profit was a separate Python backdoor called Fakeset, which was downloaded from servers belonging to Backblaze, an American cloud storage and data backup company. The digital certificate used to sign Fakeset has also been used to sign Stagecomp and Darkcomp malware, both previously linked to MuddyWater."
"While this malware wasn't seen on the targeted networks, the use of the same certificates suggests the same actor -- namely Seedworm -- was behind the activity on the networks of the U.S. companies. Iranian threat actors have become increasingly proficient in recent years."
MuddyWater, an Iranian Ministry of Intelligence and Security-affiliated hacking group, has embedded itself in multiple U.S. companies' networks including banks, airports, non-profits, and a software company with Israeli operations. The campaign began in early February with increased activity following U.S. and Israeli military strikes on Iran. Attackers deployed two previously unknown backdoors: Dindoor, which uses Deno JavaScript runtime for execution, and Fakeset, a Python backdoor downloaded from Backblaze servers. Evidence suggests data exfiltration attempts using Rclone utility to Wasabi cloud storage. Digital certificate analysis linking Fakeset to previously identified MuddyWater malware confirms the same threat actor's involvement across multiple targeted organizations.
#muddywater #iranian-cyber-espionage #dindoor-backdoor #fakeset-malware #critical-infrastructure-targeting
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]